Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials
- A threat actor has used a patched vulnerability in SonicWall software
- The group is tracked as UNC6148
- This allowed UNC6148 to potentially steal credentials and deploy ransomware
A financially motivated threat actor, tracked by Google’s Threat Intelligence Group as UNC6148, has been observed targeting patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
These attacks, Google determines with ‘high confidence’, are using credentials and one-time passwords (OTP) seeds that were obtained through previous instructions, which has allowed them to re-access even after organizations have updated their security.
A zero-day remote code execution vulnerability, Google says with ‘moderate confidence’, was used to deploy OVERSTEP on the targeted SonicWall SMA appliances. The threat intelligence group also “assesses with moderate confidence that UNC6148’s operations, dating back to at least October 2024, may be to enable data theft and extortion operations, and possibly ransomware deployment.”
UNC6148
The previously unknown persistent backdoor/user-mode rootkit, OVERSTEP, was deployed by the actor. This malware modifies the appliance’s boot process to allow persistent access, steal sensitive credentials, and then hide its own components;
“An organization targeted by UNC6148 in May 2025 was posted to the “World Leaks” data leak site (DLS) in June 2025, and UNC6148 activity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been publicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY),” Google continued.
Earlier in 2025, SonicWall firewalls were hit by a worrying cyberattack, in which a vulnerability was leveraged by threat actors to gain access to target endpoints, interfere with the VPN, and further disrupt the target further.
These attacks highlight the importance of updating software as soon as patches become available. Organizations which fail to keep on top of system updates can be left vulnerable to known-exploits. If it’s too daunting of a task, take a look at our choices for the best patch management software for a helping hand.
You might also like
A threat actor has used a patched vulnerability in SonicWall software The group is tracked as UNC6148 This allowed UNC6148 to potentially steal credentials and deploy ransomware A financially motivated threat actor, tracked by Google’s Threat Intelligence Group as UNC6148, has been observed targeting patched end-of-life SonicWall Secure Mobile Access…
