SonicWall

A previously unseen malware called OVERSTEP has been deployed by a threat actor targeting SonicWall Secure Mobile Access (SMA) appliances. The malware, identified as a user-mode rootkit, allows hackers to maintain persistent access, steal sensitive credentials, and hide malicious components. The threat actor, tracked as UNC6148, has been operating since at least October 2023 and has targeted organizations as recently as May. The attacks may have utilized a zero-day remote code execution vulnerability and have resulted in data theft and extortion, with potential deployment of Abyss ransomware.

Source: https://www.bleepingcomputer.com/news/security/sonicwall-sma-devices-hacked-with-overstep-rootkit-tied-to-ransomware/

TPRM report: https://scoringcyber.rankiteo.com/company/sonicwall

"id": "son417071725",
"linkid": "sonicwall",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'type': 'Organization'}],
 'attack_vector': 'Unknown, zero-day remote code execution vulnerability',
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': 'persist.db database, certificate files',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive credentials, '
                                             'persist.db database, certificate '
                                             'files'},
 'description': 'A threat actor has been deploying a previously unseen malware '
                'called OVERSTEP that modifies the boot process of '
                'fully-patched but no longer supported SonicWall Secure Mobile '
                'Access appliances. The backdoor is a user-mode rootkit that '
                'allows hackers to hide malicious components, maintain '
                'persistent access on the device, and steal sensitive '
                'credentials.',
 'impact': {'data_compromised': 'Sensitive credentials, persist.db database, '
                                'certificate files',
            'systems_affected': 'SonicWall SMA 100 Series devices'},
 'initial_access_broker': {'backdoors_established': True,
                           'data_sold_on_dark_web': True,
                           'entry_point': 'Unknown'},
 'motivation': 'Data theft and extortion',
 'post_incident_analysis': {'root_causes': 'Exploitation of known '
                                           'vulnerabilities to steal '
                                           'administrator credentials'},
 'ransomware': {'ransomware_strain': 'Abyss (VSOCIETY)'},
 'recommendations': 'Organizations with SMA appliances are recommended to '
                    'check the devices for potential compromise by acquiring '
                    'disk images, which should prevent interference from the '
                    'rootkit. GTIG provides a set of indicators of compromise '
                    'along with the signs analysts should look for to '
                    'determine if the device was hacked.',
 'references': [{'source': 'Google Threat Intelligence Group (GTIG)'}],
 'response': {'third_party_assistance': 'Google Threat Intelligence Group '
                                        '(GTIG), Mandiant, SonicWall’s Product '
                                        'Security Incident Response Team '
                                        '(PSIRT)'},
 'threat_actor': 'UNC6148',
 'title': 'OVERSTEP Malware Targeting SonicWall SMA Appliances',
 'type': 'Malware (Rootkit)',
 'vulnerability_exploited': ['CVE-2021-20038',
                             'CVE-2024-38475',
                             'CVE-2021-20035',
                             'CVE-2021-20039',
                             'CVE-2025-32819']}