ICS Labs Outbreak Alert - SonicWall Secure Mobile Access Attack

This persistent attack was identified by the Google Threat Intelligence Group (GTIG) and attributed, with moderate confidence, to a financially motivated threat actor tracked as UNC6148.

The attackers leveraged a combination of known vulnerabilities and, possibly, an unknown flaw (zero-day) to gain access to the targeted devices. Once inside, they stole administrative credentials and a one-time password, enabling them to reconnect via VPNs and remain undetected within the network over an extended period — even after security updates were applied.

A key component of this campaign was the deployment of OVERSTEP, a Linux-based rootkit designed for stealth and persistence. Once installed on the targeted devices, OVERSTEP allowed the attackers to maintain control, exfiltrate sensitive credentials, manipulate logs to erase evidence, and initiate outbound communication with command-and-control servers.

Latest Updates

• July 7, 2021 – SonicWall published details on CVE-2021-20038, an unauthenticated remote code execution vulnerability.

• February 14, 2023 – FortiGuard released a Threat Signal regarding ransomware activity exploiting CVE-2021-20038.

• March 12, 2024 – SonicWall disclosed CVE-2024-38475, an unauthenticated directory traversal vulnerability in Apache HTTP Server affecting the SMA 100 series.

• May 7, 2025 – SonicWall published information on CVE-2025-32819, an authenticated file deletion vulnerability.

• July 16, 2025 – Google Threat Intelligence Group (GTIG) published a Threat Blog.