SonicWall customers hit by fresh, ongoing attacks targeting fully patched SMA 100 devices
A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday.
The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.
The vendor appears 14 times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Half of those exploited vulnerabilities affect SonicWall SMA 100 appliances, including three of the four defects added to CISA’s catalog this year.
“In response to the evolving threat landscape — and in alignment with our commitment to transparency and customer protection — SonicWall plans to accelerate the end-of-support date for the SMA 100,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.
“SonicWall has been actively guiding customers toward more modern, secure solutions such as our Cloud Secure Edge service and the SMA 1000 series,” he added
“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. These updates may become more frequent as we prioritize risk mitigation and the ongoing protection of our user base,” Fitzgerald said.
Google said it lacks evidence for the initial infection vector UNC6148 used to access SonicWall devices because the threat group’s malware selectively removes log entries. Yet, researchers said several vulnerabilities could have been exploited by UNC6148, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 or CVE-2025-32819.
“UNC6148 may have used one of the mentioned CVEs to obtain administrator credentials prior to the targeted appliance being updated to the latest firmware version (10.2.1.15-81sv), and then used them to later establish a VPN session before possibly exploiting another unknown vulnerability after the appliance was fully updated,” Zander Work, senior security engineer at Google Threat Intelligence Group, said in an email.
“However, there was insufficient forensic data to confirm this for incidents that we have investigated to date,” Work added.
Insights into post-compromise activities are also limited. “We believe that UNC6148 may conduct data theft for extortion or possibly ransomware deployment as the end-stage goal of their intrusions, but haven’t been able to confirm this due to limited investigative insights at this time,” Work said.
One of UNC6148’s targeted victims appeared on the World Leaks data leak site in June, and the threat group’s activity overlaps with SonicWall exploitation in late 2023 and early 2024, including attacks involving the deployment of Abyss-branded ransomware, according to Google.
Exploited SonicWall defects are popular vectors for ransomware, with the majority of the vendor’s CVEs on CISA’s catalog — 9 out of 14 — known to be used in ransomware campaigns, according to the federal agency.
Mandiant learned more about UNC6148’s technical operations during an investigation into an attack in June. In that attack, UNC6148 established a SSL VPN session on a SMA 100 series appliance using local administrator credentials before it deployed a reverse shell through unknown means.
The reverse shell allowed the threat group to perform reconnaissance, manipulate files, and export and import settings to the SMA 100 appliance, before it deployed the OVERSTEP backdoor, which Google shared technical details about in its report.
The investigation helped Google “learn more about how [UNC6148] may leverage previously compromised SonicWall appliances for further intrusion operations, even after organizations have applied security updates,” Work said.
Google and SonicWall declined to say how many SonicWall SMA 100 devices have been abused by UNC6148, nor how many organizations have been impacted by this ongoing campaign.
