SonicWall SMA persistence operation

UNC6148 is exploiting SonicWall Secure Mobile Access (SMA) appliances to preserve access on remote-access infrastructure that protects on-premises, cloud-based, and hybrid applications. At the center of the intrusion chain is OVERSTEP, a persistent backdoor/user-mode rootkit that modifies the appliance boot process and can steal credentials, conceal files and components, delete log entries, and hide activity. The available evidence also points to stolen credentials and one-time password seeds from earlier breaches, with some intrusions possibly using an unknown zero-day remote code execution flaw to load the payload on opportunistically targeted devices. SonicWall has issued firmware guidance for SMA 100 series appliances, including version 10.2.2.2-92sv, to help remove known rootkit malware. The vendor and Google Threat Intelligence Group advise looking for SMA log gaps or deletions, unexpected reboots, persistent or unexplained admin sessions, and unauthorized configuration changes. Available evidence does not quantify how many appliances were compromised, and it remains unclear in each intrusion whether initial access came from stolen credentials, OTP abuse, or a newly used exploit.