Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Have I Been Pwned claims Pitney Bowes hit by 8.2M email address leak

    April 29, 2026

    Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone ...

  • Medtronic says ShinyHunters hackers stole around 9 million medical records in latest attack

    April 28, 2026

    Medtronic, one of the biggest medical device manufacturers in the world, has confirmed suffering a cyberattack in which crooks “accessed data in certain Medtronic corporate IT systems.” In a security notification published on its website, Medtronic said the attack does not affect its customers or products, and also stressed it will continue operating as usual, without ...

  • Don’t pay Vect a ransom – your data’s likely already wiped out

    April 28, 2026

    Organizations hit by the wave of Trivy and Lite LLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That’s because the ransomware Vect uses isn’t actually ransomware at all, but a wiper that destroys any file larger than 128KB. Vect’s leak site ...

  • Chinese engineer stole US military and NASA software for years

    April 28, 2026

    International espionage isn’t always about sophisticated malware and zero-day bugs. Sometimes it’s as simple as pretending to be someone else asking for a favor. For four years, a Chinese aerospace engineer did just that. Dozens of researchers at NASA, the US military, and major universities handed him exactly what he asked for, and possibly violated US ...

  • ADT confirms cyber intrusion after ShinyHunters extortion attempt

    April 27, 2026

    A home security biz getting digitally burgled is not a great look – but that’s exactly where ADT finds itself. The company has confirmed a cyber intrusion following an extortion attempt by the ShinyHunters crew, which claims to have made off with more than 10 million records. US-based ADT is one of the world’s largest providers ...

  • Attackers use hidden SMS and signalling systems to track targets’ location

    April 24, 2026

    Security researchers have just unveiled details of two covert surveillance campaigns that exploit weaknesses in the global telecom infrastructure. In a report published on Thursday, Citizen Lab explains that attackers abuse the signalling systems mobile operators use to support roaming, route messages, and locate devices on the network. The weaknesses were used to track certain subscribers ...