Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Iran-linked hackers threaten to release Trump aides’ emails

    July 1, 2025

    Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump’s circle, after distributing a prior batch to the media ahead of the 2024 U.S. election. In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the ...

  • FBI: Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest

    June 30, 2025

    The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) (hereafter referred to as the authoring agencies) strongly urge organizations to remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber ...

  • International Criminal Court hit with cyber security attack

    June 30, 2025

    The International Criminal Court has been targeted by a “sophisticated” cyberattack and is taking measures to limit any damage, the global tribunal announced Monday. The ICC, which also was hit by a cyberattack in 2023, said the latest incident had been contained but did not elaborate further on the impact or possible motive. “A Court-wide impact ...

  • Konica Minolta bizhub Multifunction Printer: Pass-Back Attack Vulnerability (NOT FIXED)

    June 30, 2025

    During security testing, Rapid7 discovered that Konica Minolta bizhub 227 Multifunction printers (MFPs) were vulnerable to a pass-back attack. The affected products identified were: Konica Minolta bizhub MFPs Firmware Version: GCQ-Y3 and earlier This issue has been assigned the following CVEs: CVE-2025-6081: LDAP pass-back vulnerability The Konica Minolta bizhub Multifunction printer (MFP) is an all-in-one enterprise printer designed ...

  • Bluetooth security flaw could let hackers spy on your device via microphone

    June 30, 2025

    Security researchers have uncovered three vulnerabilities in a Bluetooth chipset present in dozens of devices from multiple manufacturers. The vulnerabilities, they say, can be exploited to eavesdrop on people’s conversations, steal call history and contacts information, and possibly even deploy malware on vulnerable devices. However, exploiting the flaws for these purposes is quite difficult, so practical ...

  • Hackers hijacked hundreds of devices in an outlandish intel campaign aimed at US and Asian targets

    June 29, 2025

    A recently disclosed cyber espionage operation, dubbed LapDogs, has drawn scrutiny following revelations from SecurityScorecard’s Strike Team. The operation, believed to be conducted by China-aligned threat actors, has quietly infiltrated over 1,000 devices across the United States, Japan, South Korea, Taiwan, and Hong Kong. What makes this campaign distinctive is its use of hijacked SOHO routers ...