Sneaking Back Into Fully Patched SonicWalls

UNC6148: The Crew That Keeps Sneaking Back Into “Fully Patched” SonicWall Boxes

Google’s Threat Intelligence Group (GTIG) has linked a campaign against fully-patched yet end-of-life SonicWall SMA 100 series remote-access appliances to a threat cluster it tracks as UNC6148. The attackers are re-entering appliances by using stolen administrator credentials and one-time-password (OTP) seeds lifted during prior breaches, so patching alone hasn’t kicked them out. Once in, they establish an SSL-VPN session, obtain a reverse shell (likely via a zero-day), and drop a custom user-mode rootkit/backdoor dubbed OVERSTEP that modifies the boot process, hijacks libc functions (open/readdir/write), hides its artefacts, exfiltrates credential stores, launches on-demand shells and wipes log entries to frustrate forensics. GTIG says activity dates to at least October 2024; credential theft evidence appears from January 2025. Motivations may include data theft, extortion and ransomware, with overlaps to World Leaks/Abyss cases. SonicWall will accelerate end-of-support for SMA 100 to 31 Dec 2025 and urges OTP resets and migration to newer platforms.

Thought you were safe because you patched? Bless. A threat outfit Google calls UNC6148 has been merrily waltzing back into fully-updated (but end-of-life) SonicWall SMA 100 remote-access appliances, thanks to administrator creds and OTP seeds nicked in earlier break-ins. Patch, reboot, job done? Not when the burglars kept your spare keys.

What’s the gambit?
After reconnecting via those stolen creds, the attackers spin up an SSL-VPN session and somehow pop a reverse shell—no mean feat on a locked-down appliance, so researchers suspect a zero-day or chained n-day exploit. From there they upload OVERSTEP, a custom user-mode rootkit/backdoor that rewrites parts of the boot process so it survives restarts.

Why OVERSTEP is nasty
OVERSTEP hooks standard library calls (think open, readdir, write) to hide its own files, siphon credential databases, and accept sneaky commands buried in web requests. Two handy ones: dobackshell (instant remote shell) and dopasswords (bundle up juicy auth material for easy download). It also scrubs key log files, so incident responders chasing breadcrumbs find… crumbs.

How long has this been going on?
Telemetry traces activity to October 2024, with evidence credentials were hauled off by January 2025. Victim numbers remain “limited,” but at least one organisation later surfaced on an extortion leak site, and researchers see overlaps with Abyss/World Leaks ransomware-style operations—so today’s appliance pop could be tomorrow’s ransom note.

SonicWall’s response
SonicWall is accelerating end-of-support for the SMA 100 line to 31 December 2025 and steering customers toward newer Cloud Secure Edge / SMA 1000 kit. In the meantime: rotate all OTP seeds, change admin creds, capture full disk images for proper forensics, and monitor for suspicious configuration exports/imports (UNC6148 likes to tweak settings offline).

Why UK orgs should care
Fire brigades, councils, schools—anyone still tunnelling remote staff through ageing SMA gateways—could be running the welcome mat for UNC6148. Edge devices often sit outside EDR coverage, making them perfect hidey-holes. If your remote-access appliance is “old but patched,” schedule a health check, rotate secrets and plan a migration path before the attackers do it for you