Google Threat Intelligence Group Uncovers UNC6148 on SonicWall Secure Mobile Access 100 Series Appliances

Google Threat Intelligence Group has published new research (available HERE) that uncovers a previously unknown backdoor—UNC6148—that threat actors are deploying on fully patched SonicWall Secure Mobile Access (SMA) 100 series appliances.

In the study, Google Threat Intelligence Group identified UNC6148, a sophisticated threat actor, opportunistically exploiting fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

The actor is deploying a newly discovered, persistent backdoor and user-mode rootkit named OVERSTEP. This backdoor covertly modifies the appliance’s boot process to maintain persistence and enables the theft of user credentials, session tokens, and one-time password (OTP) seeds.

While the initial access vector remains unknown, Google Threat Intelligence Group has assessed with moderate confidence that the threat is likely leveraging known and unknown vulnerabilities to steal credentials, establish persistent access, and achieve remote code execution to deploy OVERSTEP, underscoring the advanced nature of this threat.

The number of known victims at this time is limited, and Google Threat Intelligence Group has been proactively notifying impacted organisations. Organisations with these devices are urged to analyse the devices for potential compromise and evidence of lateral movement.

Key Findings on UNC6148

• Data Theft and Extortion Link: UNC6148’s operations have been active since at least October 2024, and are suspected to enable data theft, extortion, and potentially ransomware deployment. However, Google Threat Intelligence Group  does not have enough data yet to confidently assess whether the threat is a financially motivated actor.
• Conceal its own components: The backdoor is designed to hide itself and selectively remove log entries, making detection and forensic investigation incredibly difficult. During an investigation, Mandiant observed UNC6148 exporting and re-importing SMA appliance settings, including new network access control rules for their own IP addresses. This suggests UNC6148 modified the settings offline prior to re-importing it to ensure continuous access to their infrastructure. In addition, it also took steps to cover their traces and eliminate forensic evidence.
• Recommendations: All organisations with SMA 100 series appliances should perform analysis to determine if they have been compromised by following the steps outlined in the “Hunting and Detection” section of Google Threat Intelligence Group’s research.