SonicWall has released a new firmware update for its SMA 100 series devices that can remove specific rootkit malware. The update, called the SMA 100 10.2.2.2-92sv build, includes additional file checking capabilities designed to find and eliminate known rootkit malware. SonicWall is strongly recommending that users of the SMA 210, 410, and 500v devices upgrade to this latest version to protect their systems.
This update follows a July report from researchers at the Google Threat Intelligence Group (GTIG) who observed a threat actor, UNC6148, deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices. These devices are scheduled to reach their end-of-support date next week, on October 1, 2025. OVERSTEP is a user-mode rootkit that helps attackers maintain persistent access by hiding malicious components and creating a reverse shell on compromised devices. The malware steals sensitive files, including the persist.database and certificate files, giving hackers access to credentials, one-time password (OTP) seeds, and certificates, which allows them to maintain a foothold on the network.
While researchers haven’t determined the ultimate goal of UNC6148’s attacks, they did find notable overlaps with incidents involving Abyss-related ransomware. For instance, in late 2023, the cybersecurity firm Truesec investigated an Abyss ransomware incident where hackers installed a web shell on an SMA appliance. This allowed them to maintain persistence even after firmware updates. In March 2024, another incident responder, Stephan Berger from InfoGuard AG, reported a similar compromise of an SMA device that also resulted in the deployment of Abyss malware. These similar incidents highlight a pattern of exploiting these devices.
In an advisory, SonicWall added that the GTIG report highlights the risks of using older SMA 100 firmware versions and urged administrators to implement the security measures outlined in a July advisory. This isn’t the only recent security issue for SonicWall. Last week, the company warned customers to reset their credentials after their firewall configuration backup files were exposed in brute-force attacks targeting the API service for cloud backup.
Additionally, in August, the company dismissed claims that the Akira ransomware gang was exploiting a zero-day vulnerability in Gen 7 firewalls. SonicWall clarified that the issue was tied to a critical vulnerability (CVE-2024-40766) that had already been patched in November 2024. However, the Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 later confirmed that the Akira gang was indeed exploiting this vulnerability to target unpatched SonicWall devices.
Reference:
