SonicWall on Monday released a firmware update that the security vendor says will remove rootkit malware deployed in recent attacks targeting Secure Mobile Access (SMA) 100 appliances.

The update comes about two months after Google warned that some unknown criminals have been exploiting fully patched, end-of-life SonicWall SMA 100 appliances to deploy a previously unknown backdoor and rootkit dubbed OVERSTEP. The malware modifies the appliance’s boot process to maintain persistent access, enabling the criminals to steal sensitive credentials and conceal their own components. 

The Chocolate Factory’s intel analysts in July attributed the ongoing campaign to UNC6148 – UNC in Google’s threat-group naming taxonomy stands for “Uncategorized.” 

In its Monday advisory, the security appliance maker pointed to Google’s earlier threat report about UNC6148 targeting SMA 100 appliances and dropping the never-before-seen rootkit. 

“SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version,” the vendor said.

This rootkit-busting firmware update follows a series of other attacks targeting the firewall and VPN maker, whose products have been exploited in recent months for ransomware infections as well as credential- and data-stealing campaigns.

Also on Monday, SonicWall and the US Cybersecurity and Infrastructure Security Agency (CISA) warned of brute-force attacks targeting its cloud backup service for firewalls, following The Register‘s report last week about the intrusions. Additionally, CISA urged all SonicWall customers to log into their accounts and verify if their devices are at risk.

Last Thursday, SonicWall senior VP Michael Crean told us that, during these intrusions, digital thieves accessed firewall configuration data belonging to “fewer than 5 percent” of its firewall installed base, and the vendor again repeated this figure in its Monday update about the cloud backup service security snafu.

Prior to that, in August, SonicWall confirmed that it was investigating a wave of ransomware activity targeting its firewall devices.

It turns out that Akira ransomware affiliates were behind these attacks, tied to CVE-2024-40766. This is a 9.8 CVSS-rated improper access control flaw originally disclosed in August 2024 – that Akira also abused last year to gain initial access to victim orgs before deploying ransomware and extorting the infected firms for ransom payments.

Earlier this month, Rapid7 security analysts warned that Akira was also poking holes in SonicWall SSLVPN misconfigurations and exploiting these weaknesses, in addition to the year-old CVE, to conduct its ransomware attacks. ®