Overview

• Security firms have observed intrusions on Gen 7 SonicWall SSL VPNs since mid-July that bypass MFA and credential rotation, suggesting a likely zero-day vulnerability.
• Huntress analysts identified over 20 attacks from July 25 featuring rapid pivots to domain controllers and deployment of the OVERSTEP rootkit ahead of ransomware encryption.
• Google Threat Intelligence Group assessed moderate confidence that UNC6148 affiliates exploited an unknown flaw to install a persistent backdoor on fully patched SMA appliances.
• SonicWall has recommended that customers disable SSL VPN services when possible, restrict connections to trusted IPs, enforce multi-factor authentication and enable security features such as botnet protection.
• The vendor is working with Arctic Wolf Labs, GTIG and Huntress to determine if the incidents stem from a known flaw or a new zero-day before rolling out firmware updates.