A recent surge in ransomware attacks targeting SonicWall firewalls for initial access suggests that attackers may be exploiting a zero-day vulnerability, according to security researchers.
Google’s Threat Intelligence Group (GTIG) first flagged this wave of activity in mid-July, reporting that login credentials stolen in earlier incidents were likely used to compromise SonicWall devices that had already been patched for known issues.
During the attacks, threat actors deployed a new backdoor and user-mode rootkit named Overstep, designed to alter the device’s boot process to maintain persistence and steal data.
GTIG also reported that the group responsible, identified as UNC6148, might have used an unknown zero-day remote code execution vulnerability to install Overstep on SonicWall SMA appliances that were randomly targeted.
In early August, cybersecurity companies Arctic Wolf and Huntress issued new alerts, noting that attackers were targeting SonicWall devices to bypass multi-factor authentication (MFA). SonicWall confirmed the activity and stated that it was investigating whether a new or previously known vulnerability was being exploited.
Arctic Wolf observed incidents involving VPN access via SonicWall SSL VPNs and found evidence suggesting the presence of a zero-day flaw. The company noted that some fully patched devices were compromised even after password changes. In certain cases, accounts with time-based one-time password (TOTP) MFA still fell victim.
Huntress reported similar findings, highlighting that attackers were able to move to domain controllers just hours after gaining initial access. Their investigation revealed that the compromise may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled, and that the suspected vulnerability exists in firmware versions 7.2.0-7015 and earlier.
The ongoing campaign targets Gen 7 SonicWall firewalls using SSLVPN, and SonicWall advises customers to disable SSLVPN services, restrict access to trusted IP addresses, activate threat detection tools, enforce MFA, remove inactive accounts, and update all passwords.
SonicWall urged users to apply these security measures right away while the investigation continues.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
