SonicWall Hunts for Zero-Day Amid Surge in Firewall Exploitation

A recently observed surge in ransomware attacks targeting SonicWall firewalls for initial access suggests that a potential zero-day vulnerability is exploited, security researchers warn.

Google Threat Intelligence Group (GTIG) was the first to warn of the new wave of activity in mid-July, when it noted that login information stolen in previous attacks was likely used to compromise SonicWall appliances that had been fully patched against known vulnerabilities.

As part of the observed incidents, the threat actors were deploying a new backdoor/user-mode rootkit dubbed Overstep, which was designed to modify the device’s boot process for persistence and data theft.

At the same time, GTIG noted that the threat actor behind the attacks, tracked as UNC6148, “may have used an unknown zero-day remote code execution vulnerability to deploy Overstep on opportunistically targeted SonicWall SMA appliances”.

In early August, cybersecurity firms Arctic Wolf and Huntress issued fresh alerts on cyberattacks targeting ...