SonicWall Used to Protect Thousands of Companies — Now Helps Hackers Break In
The architecture of corporate firewalls turned out to be perfect for stealth intrusions.
Attacks on outdated SonicWall SMA 100 devices have once again exposed the vulnerability of network perimeters, which are often outside the coverage of traditional security systems. According to Google Threat Intelligence Group (GTIG), a targeted campaign using the malware OVERSTEP began as early as October 2024, carried out by the hacking group UNC6148. As a result, attackers gained persistent control over the devices — even with security patches applied.
The core issue lies in the use of previously stolen credentials and one-time passwords. These could have been extracted from SMA devices as early as January 2025, allowing attackers to regain access even after administrators patch known vulnerabilities. The initial entry point remains unclear — all logs were wiped. It is assumed the attackers exploited one or more vulnerabilities, such as CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, or CVE-2025-32819. There is also speculation that credentials may have been purchased on black markets, though no direct evidence supports this.
Once inside, attackers initiated an SSL-VPN session and created a reverse shell — something not possible through standard device configuration, suggesting the use of an unknown zero-day vulnerability. Through this shell, they scanned the system and uploaded/downloaded configuration files. Experts believe the attackers modified exported configurations offline, injecting malicious rules that wouldn't be overwritten by future updates.
The final stage of the attack involved deploying OVERSTEP, a previously unknown implant. This malware interferes with the device boot process to maintain persistence, hide components, and steal data. It uses a user-mode rootkit to hook standard library functions such as open and readdir, hiding its files. It also intercepts the write function to receive commands embedded in web requests from a command server.
Commands include, for example, dobackshell to launch a reverse shell and dopasswords to create an archive with sensitive files (passwords, certificates). The archive is placed in a web-accessible directory for easy retrieval. To ensure persistence, OVERSTEP modifies the rc.fwboot file to launch on every reboot.
After deployment, attackers erase system logs and reboot the device, activating the malware. Log deletion is selective — targeting httpd.log, http_request.log, and inotify.log, making investigation harder and leaving minimal traces. Experts warn this is particularly dangerous, enabling long-term undetected presence.
GTIG has moderate confidence that a zero-day RCE vulnerability was used. The attacks appear to be preparation for large-scale operations, including data theft, extortion, and potentially ransomware deployment. Indirectly supporting this is the appearance of victim data on World Leaks, linked to actors previously involved with Hunters International.
Parallels were also drawn between UNC6148’s tactics and similar attacks on SonicWall devices observed in July 2023. At that time, researchers including Stefan Berger from Truesec noted the use of web shells and methods to maintain access across firmware upgrades — later associated with Abyss ransomware deployment.
This case highlights a growing trend: cybercriminals increasingly target edge network devices that aren’t protected by antivirus or EDR solutions. As a result, intrusions can remain undetected for extended periods.
Google recommends full forensic analysis using disk images, as built-in tools cannot detect such stealthy threats. This often requires working directly with SonicWall to obtain full system images.
SonicWall has confirmed cooperation with GTIG and announced that end-of-support for SMA 100 devices has been moved up from October 2027 to December 2025. This accelerated timeline reflects the current threat landscape and the company’s transition to more modern solutions like SMA 1000 and Cloud Secure Edge, which promise better security and scalability.
