• Hackers Compromising SonicWall SMA: Google Threat Intelligence Group researchers said hackers are compromising SonicWall Secure Mobile Access (SMA) appliances at the edge of enterprise networks. The targeted devices are end of life and still relied on by many organizations, making them prime targets for UNC6148.
• Recommendations: GTIG recommends organizations with SMA appliances perform analysis to determine if compromised. They should acquire disk images for forensic analysis to avoid interference from rootkit anti-forensic capabilities and may need to engage with SonicWall.
• Lacking Details: Many key details are unknown, such as how attacker obtained local administrator credentials, what vulnerabilities UNC6148 is exploiting, and what attackers do after taking control. The lack of details is due to the functioning of Overstep, a custom backdoor malware. Possible exploited vulnerabilities include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. GTIG was unable to confirm abuse of some vulnerabilities and identify direct credential exposure. Also unknown is how UNC6148 installed a reverse shell and their motivations and actions after installing Overstep. Compromised devices delete key log entries, making detection hard, but the post provides technical indicators for SonicWall customers.