SonicWall SMA100 Update Eradicates Rootkit Malware
▼ Summary
– SonicWall released firmware update 10.2.2.2-92sv for SMA 100 series devices to remove known rootkit malware.
– The update follows a Google report on threat actor UNC6148 deploying OVERSTEP rootkit malware on end-of-life devices.
– OVERSTEP malware steals sensitive files to maintain persistent access and harvest credentials and certificates.
– Researchers noted overlaps between these attacks and previous incidents involving Abyss-related ransomware.
– SonicWall urged admins to upgrade firmware and reset credentials due to recent security incidents.
A critical firmware update from SonicWall now provides the capability to eradicate rootkit malware discovered on SMA 100 series appliances. The newly released build introduces enhanced file integrity checks designed to identify and remove the malicious components, offering a vital remediation path for affected organizations. This development addresses a significant security threat that could otherwise lead to prolonged unauthorized access.
SonicWall has strongly advised all users of its SMA 100 series products, including the SMA 210, 410, and 500v models, to immediately upgrade to the 10.2.2.2-92sv version. The urgency of this update stems from a recent threat intelligence report detailing active attacks. Researchers observed a threat actor, tracked as UNC6148, deploying a user-mode rootkit known as OVERSTEP onto vulnerable devices. This malware is particularly dangerous because it allows attackers to maintain a persistent foothold.
The OVERSTEP rootkit operates by hiding its malicious components and establishing a reverse shell connection from the compromised device back to the attackers’ server. Its functionality includes stealing highly sensitive files, such as the `persist.database` and certificate files. This theft provides hackers with access to user credentials, one-time password (OTP) seeds, and digital certificates, which they can use to ensure their access remains even after reboots or other system changes.
While the ultimate objective of the UNC6148 group remains unclear, investigators have noted significant connections to ransomware operations. The campaign shows “noteworthy overlaps” with incidents involving Abyss ransomware. In one case from late 2023, forensic analysis by Truesec revealed that hackers had installed a web shell on an SMA appliance, allowing them to persist through firmware updates. A separate incident in March 2024, reported by incident responder Stephan Berger, also led to the deployment of Abyss malware following a similar compromise.
SonicWall emphasized that the threat intelligence underscores the potential risks of running outdated firmware. The company is urging system administrators to not only apply this latest patch but also to review and implement the security measures detailed in a previous July advisory. This situation highlights the critical importance of maintaining up-to-date software, especially for devices approaching their end-of-support date.
This security update is the latest in a series of recent advisories from the network security vendor. Just last week, SonicWall warned customers to reset their credentials after firewall configuration backup files were exposed in brute-force attacks targeting a cloud backup API service. Furthermore, in August, the company addressed claims regarding the Akira ransomware gang, clarifying that attacks were exploiting a known, patched vulnerability (CVE-2024-40766) rather than a new zero-day flaw. The Australian Cyber Security Centre and Rapid7 have since confirmed that the Akira group is actively targeting unpatched SonicWall devices using this vulnerability.
(Source: Bleeping Computer)
