Ethical Hacking News
The SonicWall Secure Mobile Access (SMA) appliances have been compromised by a sophisticated group of hackers, known as UNC6148. The attackers have used leaked local administrator credentials and unauthenticated remote code execution vulnerabilities to gain access to the devices. This article provides an in-depth analysis of the attack and offers guidance on how organizations can mitigate its impact.
Google Threat Intelligence Group (GTIG) has identified a sophisticated cyber attack on SonicWall Secure Mobile Access (SMA) appliances. The attackers, UNC6148, used leaked local administrator credentials and unauthenticated remote code execution vulnerabilities to compromise multiple devices. The attacks exploited several known vulnerabilities in SMA appliances, including CVE-2021-20038 and CVE-2024-38475. Custom backdoor malware called Overstep was used to selectively remove log entries, making detection and forensic investigation challenging. Organizations with SMA appliances are advised to perform analysis to determine if they have been compromised and acquire disk images for forensic analysis. The attacks highlight the importance of regular updates, patching, and monitoring of network devices to prevent such complex cyber attacks.
In a recent discovery by Google Threat Intelligence Group (GTIG), a team of researchers has identified a sophisticated cyber attack on SonicWall Secure Mobile Access (SMA) appliances. The attackers, identified as the group UNC6148, have compromised multiple devices using a combination of leaked local administrator credentials and unauthenticated remote code execution vulnerabilities.
According to the report published by GTIG, the attacks are exploiting several known vulnerabilities in SMA appliances, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. The attackers have also been using a custom backdoor malware called Overstep, which allows them to selectively remove log entries, making detection and forensic investigation challenging.
The GTIG report highlights the complexity of the attack, emphasizing that the lack of details about the vulnerabilities exploited and the motivations of the attackers makes it difficult for organizations to take effective countermeasures. The report also recommends that all organizations with SMA appliances perform analysis to determine if they have been compromised and acquire disk images for forensic analysis.
Furthermore, the GTIG report notes that many organizations continue to rely on end-of-life devices that no longer receive regular updates for stability and security, making them prime targets for UNC6148. The report also posits that the attackers may be armed with a zero-day exploit, targeting a vulnerability currently publicly unknown.
As a result of the attacks, SonicWall customers are advised to look out for technical indicators that may indicate if they have been targeted or hacked. The GTIG report provides guidance on how to detect infections and mitigate the impact of the attacks.
In conclusion, the SonicWall security breach highlights the importance of regular updates, patching, and monitoring of network devices to prevent such complex cyber attacks. It also emphasizes the need for organizations to stay vigilant and proactive in identifying and addressing vulnerabilities before they can be exploited by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/The-SonicWall-Security-Breach-A-Complex-Web-of-Vulnerabilities-ehn.shtml
https://arstechnica.com/security/2025/07/google-finds-custom-backdoor-being-installed-on-sonicwall-network-devices/
https://nvd.nist.gov/vuln/detail/CVE-2021-20035
https://www.cvedetails.com/cve/CVE-2021-20035/
https://nvd.nist.gov/vuln/detail/CVE-2021-20038
https://www.cvedetails.com/cve/CVE-2021-20038/
https://nvd.nist.gov/vuln/detail/CVE-2021-20039
https://www.cvedetails.com/cve/CVE-2021-20039/
https://nvd.nist.gov/vuln/detail/CVE-2024-38475
https://www.cvedetails.com/cve/CVE-2024-38475/
https://nvd.nist.gov/vuln/detail/CVE-2025-32819
https://www.cvedetails.com/cve/CVE-2025-32819/
Published: Wed Jul 16 17:30:59 2025 by llama3.2 3B Q4_K_M
