A threat actor has been targeting fully patched but end-of-life SonicWall Secure Mobile Access 100 appliances since at least October 2024, according to a report released Wednesday by Google Threat Intelligence Group.
The threat actor, tracked as UNC6148, is using credentials and one-time-password seeds to gain access to the devices and has deployed a previously unknown backdoor that Google researchers are calling Overstep. The malware modifies the boot process of SMA 100 appliances, allowing the hacker to maintain persistent access, steal credentials and hide its components.
Researchers believe the hacker may have used a zero-day, remote-code-execution vulnerability to deploy Overstep on targeted appliances.
Google researchers believe the hacker may be familiar with these particular devices because of how often threat actors have targeted them in recent years.
“Based on overlaps between the recent UNC6148 activity that GTIG has observed and publicly reported SonicWall exploitation activity dating back to 2023, we suspect UNC6148 has prior experience conducting intrusion operations against SonicWall SMA 100 series appliances,” Zander Work, a senior security engineer on the Google research team, told Cybersecurity Dive.
“The sophistication of the malware and deployment techniques used against the appliance in Mandiant's recent investigation suggests technical expertise of the SMA 100 series software and capabilities as well,” Work added.
Despite that apparent familiarity, however, researchers have not found any overlaps between this activity and the past campaigns of known threat groups.
Researchers still don’t know exactly how many of organizations the latest activity has affected, because other attacks disclosed in recent months may overlap with the activity being disclosed in the new blog.
Google has been coordinating with SonicWall on its findings and the company thanked GTIG on coordinating the research.
“In response to the evolving threat landscape — and in alignment with our commitment to transparency and customer protection — SonicWall plans to accelerate the end-of-support date for the SMA 100,” a company spokesman told Cybersecurity Dive. “The SMA 100 has already reached end-of-sale status, as reflected in our Product Lifecycle Table, and this update aligns with our long-term strategy and industry direction.”
The company said it plans to share detailed mitigation guidance with customers and partners in the coming weeks.
Researchers said the threat actors may be trying to steal data, deploy ransomware and extort victims.
For example, the hacker targeted an organization in May and one month later posted information about the attack on the World Leaks data leak site, according to Google. There are also overlaps between the newly disclosed threat campaign and prior SonicWall exploitation that led to the deployment of the Abyss ransomware, which Google calls VSociety.
Researchers warn that the hacker is also exploiting several known vulnerabilities, including CVE-2021-20038, a memory corruption vulnerability that could lead to unauthenticated remote code execution; CVE-2024-38475, an unauthenticated path traversal vulnerability in Apache HTTP server, which impacts SMA 100; CVE-2021-20035, which involves improper neutralization of special elements in the SMA 100 interface; CVE-2021-20039, which also involves improper neutralization of special elements in the SMA 100 management interface; and CVE-2025-32819, an authenticated file deletion vulnerability.
Rapid7 in May disclosed multiple vulnerabilities in SMA 100 series appliances and worked with SonicWall to develop fixes.
