SonicWall has launched a firmware replace that may assist prospects take away rootkit malware deployed in assaults focusing on SMA 100 collection units.
“SonicWall SMA 100 10.2.2.2-92sv construct has been launched with further file checking, offering the potential to take away identified rootkit malware current on the SMA units,” the corporate mentioned in a Monday advisory.
“SonicWall strongly recommends that customers of the SMA 100 collection merchandise (SMA 210, 410, and 500v) improve to the ten.2.2.2-92sv model.”
The replace follows a July report from researchers on the Google Menace Intelligence Group (GTIG), who noticed a risk actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 units that may attain end-of-support subsequent week, on October 1, 2025.
OVERSTEP is a user-mode rootkit that allows attackers to take care of persistent entry through the use of hidden malicious elements and establishing a reverse shell on compromised units. The malware steals delicate information, together with the persist.database and certificates information, offering hackers with entry to credentials, OTP seeds, and certificates that additional allow persistence.
Whereas the researchers haven’t decided the purpose behind UNC6148’s assaults, they did discover “noteworthy overlaps” with Abyss-related ransomware incidents.
For example, in late 2023, Truesec investigated an Abyss ransomware incident wherein hackers put in an online shell on an SMA equipment, enabling them to take care of persistence regardless of firmware updates. In March 2024, InfoGuard AG incident responder Stephan Berger reported an analogous SMA machine compromise that additionally resulted within the deployment of Abyss malware.
“The risk intelligence report from Google Menace Intelligence Group (GTIG) highlights potential threat of utilizing older variations of SMA100 firmware,” SonicWall added on Monday, urging admins to implement the safety measures outlined in this July advisory.
Final week, SonicWall warned prospects to reset credentials after their firewall configuration backup information have been uncovered in brute-force assaults focusing on the API service for cloud backup.
In August, the corporate additionally dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls utilizing a possible zero-day exploit, clarifying that the difficulty was tied to a crucial vulnerability (CVE-2024-40766) that was patched in November 2024.
The Australian Cyber Safety Heart (ACSC) and cybersecurity agency Rapid7 later confirmed that the Akira gang is exploiting this vulnerability to focus on unpatched SonicWall units.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
