A elegant hacking group,dubbed UNC6148 by Google’s Threat Intelligence Group (GTIG),is actively exploiting end-of-life SonicWall Secure mobile Access (SMA) appliances. These devices, crucial for managing adn securing mobile access to enterprise networks, are no longer receiving vital security updates, making them prime targets.
Despite their outdated status, many organizations continue to rely on these vulnerable appliances. UNC6148 is leveraging leaked local administrator credentials and perhaps zero-day exploits to gain unauthorized access. The group installs a custom backdoor malware named “Overstep,” which employs advanced anti-forensic techniques, including selective log deletion, to hinder detection and investigation.
GTIG recommends that all organizations utilizing SMA appliances conduct thorough forensic analysis to identify any potential compromises. Acquiring disk images is crucial to circumvent Overstep’s anti-forensic capabilities. Engaging directly with SonicWall might potentially be necessary to capture these critical disk images from physical appliances.
While the exact methods of credential compromise and the full scope of UNC6148’s activities remain under investigation, potential vulnerabilities being exploited include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. Some of these vulnerabilities have previously been reported as actively exploited.
What are yoru thoughts on the ongoing cybersecurity threats targeting legacy systems? Share your insights in the comments below! Don’t forget to subscribe to World Today News for more critical security updates and analysis.
