< Back
Weekly Alerts
23 July 2025

Weekly Summary Cyberattacks 17-23 July

Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor   

According to information dated July 16, 2025, a financially motivated threat group, tracked as UNC6148, is actively targeting end-of-life but fully patched SonicWall Secure Mobile Access (SMA) 100 series appliances. This campaign leverages a sophisticated approach that utilizes previously stolen credentials and a newly identified persistent backdoor/rootkit, dubbed OVERSTEP. Google's Threat Intelligence Group (GTIG) and Mandiant have confirmed that these attacks enable persistent access and credential theft even after firmware updates are applied. The malware, OVERSTEP, is a 32-bit ELF shared object compiled for x86 architecture, designed to hook standard library functions such as open, readdir, and write via ld.so.preload, which facilitates both stealth and control over the compromised device. The initial compromise likely stems from the exploitation of known vulnerabilities in SonicWall appliances before they were patched, such as CVE-2024-38475, which allows unauthenticated path traversal and database exfiltration. Other vulnerabilities that may have been leveraged include CVE-2021-20038, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. Notably, GTIG suspects UNC6148 might have used a previously unknown zero-day to deploy OVERSTEP. Following credential theft, UNC6148 used a VPS hosted by BitLaunch to access appliances via SSL VPN and established reverse shells, allowing them to modify network access policies and implant OVERSTEP. The malware ensures persistence by modifying the boot process, injecting itself into the INITRD image, and altering the /etc/rc.d/rc.fwboot script. Timestomping and hiding components through user-mode rootkit techniques enable the malware to evade detection. OVERSTEP enables attackers to establish reverse shells (using the dobackshell command) and exfiltrate sensitive files, such as credentials and OTP seeds (using the dopasswords command). Commands are delivered via malicious HTTP queries and parsed through hijacked write functions. Post-compromise, UNC6148 performs anti-forensic operations, deleting logs and avoiding shell history to hide activities. Although immediate ransomware deployment hasn't been confirmed, GTIG found links between UNC6148 activity and previous Abyss-branded ransomware deployments. One UNC6148 target in May 2025 was later listed on the "World Leaks" extortion site in June, suggesting this campaign is part of a broader effort that may culminate in data extortion or ransomware. GTIG urges all SonicWall SMA users to inspect their appliances for compromise indicators, obtain disk images for forensic review, and rotate all credentials, OTP seeds, and certificates, regardless of patch status, due to the malware's ability to persist and evade detection.  

MaaS Operation Using Emmenhtal and Amadey   

According to information dated July 17, 2025, researchers identified a Malware-as-a-service operation that utilized Amadey malware and Emmenhtal loaders to deliver payloads via public GitHub repositories. Several of the observed TTPs overlap with a prior SmokeLoader phishing campaign that targeted Ukrainian entities, identified in early 2025. During the analysis of the SmokeLoader campaign, which used Emmenhtal loaders, researchers discovered Emmenhtal samples that were not part of the original activity cluster. The samples were not distributed via email but were instead found on various GitHub repositories. The samples, hosted on three GitHub accounts, were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories. These accounts served as open directories for malware, including AsyncRAT, PuTTY, and information stealers. The MaaS operators utilized GitHub to bypass web filtering and distribute files with ease. Many entities with software development teams require some level of access to GitHub. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic. The impact of this event is significant because it highlights how trusted platforms are being abused to host and deliver malware. By using these platforms, attackers make detection more difficult. The use of Emmenhtal in different campaigns showcases possible coordination among threat groups. The event also represents the sophistication of Malware-as-a-Service.  

PoisonSeed Phishing Campaign Abuses Cross-Device MFA to Bypass FIDO2 Protections   

According to information dated July 19, 2025, researchers uncovered that a PoisonSeed phishing campaign is bypassing FIDO2 security key protections by exploiting the legitimate cross-device sign-in feature in WebAuthn. The attackers abuse WebAuthn to trick victims into authorizing fraudulent logins from fake corporate portals. The PoisonSeed threat actors are known to employ large-volume phishing attacks for financial fraud. This campaign begins by luring users to phishing sites that impersonate popular enterprise login pages, such as Okta and Microsoft 365. When users submit their credentials, an adversary-in-the-middle backend relays them to the real login portals. Instead of prompting for the victim's physical FIDO2 security key, the phishing backend initiates cross-device authentication, causing the legitimate site to generate a QR code. This QR code is displayed on the phishing page and, when scanned by the victim's mobile device, completes the attacker's login session. The impact of this event is significant as the method does not exploit technical flaws but downgrades the authentication process, highlighting the risk of social engineering even in phishing-resistant systems.  

Poland Investigates Sabotage After Air Traffic Control Disruption   

According to information dated July 21, 2025, Poland's Internal Security Agency (ABW) launched an investigation into possible sabotage after a sudden technical failure disrupted the country's air traffic control system on July 19, 2025. The disruption caused delayed departures from major airports including Warsaw, Kraków, and Gdańsk, but no flights were canceled. Operations were restored when the Polish Air Navigation Authority (PANSA) switched to a backup system. Although the outage was not officially linked to a cyberattack, data is being analyzed for signs of deliberate interference. Authorities are reviewing potential links to Russian hybrid operations. The impact of this event is significant as it highlights growing concerns across Europe over Russian sabotage and hybrid threats.  

Submarine Cables Face Increasing Threats Amid Geopolitical Tensions   

According to information dated July 17, 2025, researchers have noticed an escalation in threats to submarine cable infrastructure. The escalation observed over the past 18 months is driven by geopolitical tensions and a surge in reported cable damages. State-linked actors, particularly from Russia and China, are increasingly suspected of using low-sophistication tactics like anchor dragging to damage cables in sensitive regions such as the Baltic Sea and around Taiwan. The documented data cable incidents highlight systemic vulnerabilities in areas with limited redundancy, route diversity, and repair capacity. In sensitive regions like West and Central Africa, damage has caused major, prolonged outages. Submarine cables carry approximately 99% of global data traffic, making them a critical component of telecommunications and financial systems. A high-impact attack on multiple cables could severely disrupt internet access and global connectivity for extended periods. The impact of this event could be significant. Damage to submarine cable infrastructure poses a serious risk to the confidentiality, integrity, and availability of global data flows. The increasing state-sponsored sabotage introduces a new vector of cyber-physical attacks that can disrupt digital infrastructure without using traditional cyber tools.