Google finds custom backdoor being installed on SonicWall network devices
1 min read
Summary
The unknown group UNC6148 has found a way to compromise SonicWall appliances, rendering them prime targets as they sit at the edge of enterprise networks managing and securing access by mobile devices, notwithstanding that the devices are end of life and thus no longer receive stability or security updates.
Google has recommended that all organisations using SMA appliances should perform an analysis to ascertain if they have been compromised.
It is known that the attacks are exploiting leaked local administrator credentials, but how the credentials were obtained in the first place is unknown, as is the specific vulnerability being exploited.
Currently, it is also unclear as to what the exact aims of the hacks are, but it has been ascertained that the hackers are using a custom backdoor malware, dubbed Overstep, which allows them to selectively remove log entries, hindering forensic investigations.
It is possible that the hackers are armed with a zero-day exploit, which would mean that the vulnerability being targeted is publicly unknown.
