Threat actors breach end-of-life cybersecurity company SonicWall appliances, gaining access to critical organizational data. 

Google GTIG and Mandiant report an active cyber campaign by an unknown threat group using stolen credentials and OTP seeds from past breaches to regain access—even after security patches are applied. 

Google says it can’t yet determine the threat actors’ location, intent, or full victim count. The group, tracked as UNC6148, has reportedly been active since October 2024.  

The campaign targets fully patched, end-of-life SonicWall SMA 100 series devices. Google says the malware erases log entries, obscuring how hackers first accessed the systems. 

According to Google, the attack campaign is more widespread than initially assessed, and SonicWall has acknowledged other impacted entities. An advisory for CVE-2024-38475 has been updated accordingly. 

"As an added security measure, we strongly advise customers to reset the OTP (One-Time Password) binding for all users. This step ensures that any potentially compromised or stale OTP secrets are invalidated, thereby mitigating unauthorized access risks,” SonicWall said in the update to the advisory. 

OVERSTEP  

The campaign features a new backdoor, OVERSTEP, that tampers with the SonicWall appliance’s boot sequence to stay hidden, steal credentials, and maintain long-term access. 

Tracking the attackers proved challenging for responders, since OVERSTEP gave them the ability to delete system logs and obscure their movements. 

Google reports that OVERSTEP was specifically built to target SonicWall SMA 100 series devices.