Zero-Day Vulnerability Exploited to Deploy Stealthy Overstep Backdoor

Attackers likely linked to the Abyss ransomware group are exploiting a probable zero-day vulnerability in fully patched Secure Mobile Access (SMA) 100 series gear to deploy a stealthy backdoor known as Overstep, DarkReading reports.

The campaign begins with the harvesting of local administrator credentials and one-time password seeds, which may have been acquired through earlier intrusions or credential sales. Using these credentials, the attackers establish SSL VPN access to the device, bypassing traditional initial access exploits.

Once inside, the attackers execute a reverse shell to escalate their privileges, suggesting exploitation of an unknown flaw that bypasses existing protections. They then perform reconnaissance, extract configuration data, and alter device settings offline to inject malicious access control rules, effectively locking in long term persistence.

The core implant, Overstep, is a 32-bit ELF shared library written in C that integrates into every running process by hijacking the system’s dynamic linker. It functions as a user mode rootkit, hooking core Linux functions to conceal its activity, files, and network connections. Overstep also modifies the system’s bootloader to ensure it remains active across reboots, complicating detection and removal.

Researchers indicate the tactics closely align with those used by UNC6148 and suspect the attackers are chaining the unknown zero-day with previously disclosed vulnerabilities, including CVE-2019-7481 (command injection), CVE-2021-20038 (stack-based buffer overflow), and CVE-2021-20039 (post authentication remote code execution).  

These known flaws may have been leveraged to collect credentials in earlier phases of the campaign, enabling the more advanced stages involving lateral movement and deployment of the Overstep backdoor.

Takeaway: What we’re seeing here is the blueprint for how ransomware continues to win. These attacks against fully patched devices using a zero-day and dropping a rootkit-level implant like Overstep aren’t just a warning sign, they’re a stark reminder that most organizations are outmatched.  

Even the most mature enterprises with layered defenses and robust response teams are struggling to keep up. When attackers bring this level of sophistication, what chance do smaller businesses, healthcare providers, or schools really have?

The complexity and pace of these intrusions are concerning. Attackers are walking right past established controls, embedding themselves deep in the infrastructure, and quietly exfiltrating massive volumes of sensitive data.  

In some cases, they complete the job in just days or mere hours. And there are so many vulnerabilities ransomware operators are exploiting that CISA had to build a whole catalog just to track them. Not a list, but a catalog. That says everything about the scale of the problem.

This isn’t about poor hygiene or missed patches. The threat actors are evolving faster than most security stacks can adapt. They are building tools to bypass everything we rely on, and they are testing those tools in real-world campaigns. Defenders are having a hard time keeping up.

If there’s any path forward, it starts with serious collaboration. Public and private sectors need to be aligned, sharing intelligence and mitigation strategies in real time. Because right now, the attackers have every advantage, and the cost of doing nothing keeps getting higher.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.