Warning: New Threat Actor UNC6148 Targets SonicWall Devices with Overstep Malware
A newly identified cyber threat actor, tracked as UNC6148, is actively exploiting vulnerabilities in SonicWall network security devices to deploy a sophisticated new malware strain called “Overstep.” This campaign represents a significant threat to organizations, as the tactics observed suggest these intrusions are likely a precursor to widespread ransomware attacks.
This activity underscores a critical security challenge: threat actors are increasingly targeting edge devices like firewalls as a primary entry point into corporate networks. Once compromised, these devices provide a powerful foothold for launching broader, more destructive attacks.
Who is UNC6148?
While information on UNC6148 is still emerging, their methods indicate a skilled and financially motivated group. They focus on exploiting known or potential zero-day vulnerabilities in internet-facing network appliances. Their choice of SonicWall devices is strategic, as these firewalls are widely used across various industries, offering a large pool of potential targets.
The group’s methodology is patient and calculated. They gain initial access, deploy their malware for persistent access, and then likely prepare to sell that access to other cybercriminals or deploy ransomware themselves.
The Attack Chain: How Overstep Malware Works
The attack begins with the exploitation of a security flaw in a targeted SonicWall device. Once UNC6148 gains initial access, they proceed with the deployment of the Overstep malware.
The primary function of Overstep is to act as a persistent backdoor. It is designed to survive reboots and firmware updates, giving the attackers long-term control over the compromised device. This backdoor allows UNC6148 to:
- Execute arbitrary commands on the firewall.
- Manipulate network traffic and firewall rules.
- Move laterally from the firewall into the internal network.
- Exfiltrate sensitive data passing through the device.
By embedding themselves within the core of a network’s security infrastructure, the attackers can operate with a high degree of stealth, making detection extremely difficult.
The Inevitable Link to Ransomware
The deployment of backdoors like Overstep is rarely the final goal. This type of malware is a classic calling card of Initial Access Brokers (IABs) or the first stage of a ransomware group’s operation. The ultimate objective is almost certainly data exfiltration and the eventual deployment of ransomware for financial extortion.
Once UNC6148 establishes a stable foothold with Overstep, they can map the internal network, identify critical assets like domain controllers and file servers, steal valuable data, and then encrypt the entire system.
How to Protect Your SonicWall Devices and Network
Protecting your organization requires immediate and proactive measures. Given the severity of this threat, administrators and security teams must act now to harden their defenses.
Patch and Update Immediately: This is the most critical step. Ensure your SonicWall devices are running the latest firmware version. Threat actors thrive on unpatched vulnerabilities, and failing to update is an open invitation for an attack.
Restrict Management Interface Access: Never expose the SonicWall management interface directly to the public internet. Access should be strictly limited to a secure, internal management network. If remote access is absolutely necessary, it must be protected by a VPN with strong security controls.
Enforce Multi-Factor Authentication (MFA): MFA should be mandatory for all administrative accounts, including those used to manage network devices. This adds a powerful layer of security that can prevent unauthorized access even if credentials are stolen.
Review Logs for Suspicious Activity: Actively monitor firewall and network logs for any signs of compromise. Look for unusual administrative logins, unexpected configuration changes, unexplained outbound traffic from the firewall itself, or the creation of new, unauthorized user accounts.
Implement a Robust Backup and Recovery Plan: The best defense against the impact of ransomware is a reliable backup. Follow the 3-2-1 rule: maintain three copies of your data on two different media types, with at least one copy stored off-site and offline. Regularly test your backups to ensure they can be restored successfully.
Segment Your Network: Use network segmentation to limit an attacker’s ability to move laterally. By isolating critical systems into secure zones, you can contain a breach and prevent it from spreading across your entire infrastructure.
The emergence of UNC6148 and the Overstep malware is a serious reminder that network edge devices are high-value targets. Proactive security, vigilant monitoring, and swift patching are not just recommendations; they are essential to defending against these advanced and persistent threats.
Source: https://securityaffairs.com/180035/hacking/unc6148-deploys-overstep-malware-on-sonicwall-devices-possibly-for-ransomware-operations.html
