INSUBCONTINENT EXCLUSIVE:
Researchers from the Google Threat Intelligence Group said that hackers are compromising SonicWall Secure Mobile Access (SMA) appliances,
which sit at the edge of enterprise networks and manage and secure access by mobile devices.The targeted devices are end of life, meaning
they no longer receive regular updates for stability and security
Despite the status, many organizations continue to rely on them
for Google Threat Intelligence Group
For one thing, the attacks are exploiting leaked local administrator credentials on the targeted devices, and so far, no one knows how the
credentials were obtained
the functioning on Overstep, the name of custom backdoor malware UNC6148 is installing after initial compromise of the devices
Overstep allows the attackers to selectively remove log entries, a technique that is hindering forensic investigation
Possible vulnerabilities UNC6148 may be exploiting include:CVE-2021-20038: An unauthenticated remote code execution made possible by a
memory corruption vulnerability.CVE-2024-38475: An unauthenticated path traversal vulnerability in Apache HTTP Server, which is present in
It can be exploited to extract two separate SQLite databases that store user account credentials, session tokens, and seed values for
generating one-time passwords.CVE-2021-20035: An authenticated remote code execution vulnerability
Security firm Arctic Wolf and SonicWall reported in April that this vulnerability was under active exploitation.CVE-2021-20039: An
authenticated remote code execution vulnerability
There have been reports that this vulnerability was under active exploitation to install ransomware in 2024.CVE-2025-32819: An authenticated
file deletion vulnerability that can be exploited to cause a targeted device to revert the built-in administrator credentials to a password
so that attackers can gain administrator access.
