"The update comes about two months after Google warned that some unknown criminals have been exploiting fully patched, end-of-life SonicWall SMA 100 appliances to deploy a previously unknown backdoor and rootkit dubbed OVERSTEP. The malware modifies the appliance's boot process to maintain persistent access, enabling the criminals to steal sensitive credentials and conceal their own components. The Chocolate Factory's intel analysts in July attributed the ongoing campaign to UNC6148 - UNC in Google's threat-group naming taxonomy stands for "Uncategorized.""
"In its Monday advisory, the security appliance maker pointed to Google's earlier threat report about UNC6148 targeting SMA 100 appliances and dropping the never-before-seen rootkit. "SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version," the vendor said. This rootkit-busting firmware update follows a series of other attacks targeting the firewall and VPN maker, whose products have been exploited in recent months for ransomware infections as well as credential- and data-stealing campaigns."
SonicWall released firmware version 10.2.2.2-92sv to remove a rootkit used in recent attacks against SMA 100 series appliances. Google reported that unknown attackers exploited fully patched, end-of-life SMA 100 devices to deploy a backdoor and an OVERSTEP rootkit that modifies the boot process for persistence, credential theft, and concealment of malicious components. Google attributed the campaign to UNC6148. SonicWall pointed to Google's findings and urged customers to upgrade. The update follows months of exploitation of the vendor's products for ransomware and data-stealing campaigns, and CISA urged customers to verify accounts and device risk amid brute-force attacks on the cloud backup service.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]