Google has discovered a new backdoor in SonicWall network devices that attackers are using to gain access to sensitive data.
SonicWall firewalls are once again under attack. Google’s security team discovered a backdoor and provides a detailed description in a blog. The backdoor specifically targets SonicWall SMA 100 series devices and may be the aftermath of previous vulnerabilities in the manufacturer’s firewalls.
Remarkably, the affected devices were fully patched. The attackers gained access using previously stolen login credentials and one-time “password seeds”. While the initial infection vector is difficult to trace, Google’s security team suspects the attackers exploited known vulnerabilities in the systems.
Overstep
In this new wave of attacks, a previously unknown backdoor, designated as Overstep, is installed. This backdoor modifies the boot process of affected devices, providing persistent access, stealing sensitive data, and hiding the malware’s presence.
The backdoor’s primary objective is to establish a reverse shell. This allows attackers to remotely execute commands and exfiltrate data, such as passwords and certificates.
The malware makes itself invisible to traditional detection methods. It uses standard system functions for file handling and hides itself in system files and log files. The malware can also be used to execute commands such as opening a reverse shell or exfiltrating stored login credentials.
Recommendations
Google advises organizations using SonicWall SMA 100 series devices to immediately change all login credentials to prevent further compromise. This attack emphasizes the importance of timely security patches and active monitoring for unusual network activity and unauthorized access attempts.
It is also important to search for suspicious files or modified system configurations. If signs of compromise are detected, the affected system must be immediately isolated to prevent further damage.