{"id":14460,"date":"2025-07-17T21:55:02","date_gmt":"2025-07-17T21:55:02","guid":{"rendered":"https:\/\/newestek.com\/?p=14460"},"modified":"2025-07-17T21:55:02","modified_gmt":"2025-07-17T21:55:02","slug":"ransomware-actors-target-patched-sonicwall-sma-devices-with-rootkit","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14460","title":{"rendered":"Ransomware actors target patched SonicWall SMA devices with rootkit"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A group of hackers known for stealing enterprise data for extortion purposes has developed a persistent rootkit for SonicWall Secure Mobile Access (SMA) 100 series appliances. The rootkit was seen deployed on end-of-life but fully patched SMA 100 appliances with the help of administrative credentials likely obtained in past compromises.<\/p>\n

\u201cGTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates,\u201d researchers from Google Threat Intelligence Group and Mandiant wrote in a report on the group\u2019s activity<\/a>.<\/p>\n

The deployed rootkit is designed to delete log entries, thereby impacting the ability to perform forensic investigation. As such, no initial access vector could be established with certainty, but Google\u2019s researchers believe the group leveraged known vulnerabilities.<\/p>\n

Attackers linked to ransomware and data leak extorsions<\/h2>\n

Google-owned incident response firm Mandiant tracks the group as UNC6148 and believes the group\u2019s goal is to gain access to organizations for the purpose of data theft, extortion, and ransomware deployment. Data stolen from an organization compromised by UNC6148 in May was posted on data leak site World Leaks last month.<\/p>\n

The group might have a history of targeting SonicWall SMA appliances, with attacks during 2023 and 2024 resulting in deployed web shells and later the infection of the victim\u2019s networks with the Abyss ransomware, also known as VSOCIETY.<\/p>\n

Google\u2019s researchers believe in-the-wild exploitations of previous SonicWall SMA 100 vulnerabilities might have led to the theft of administrative credentials used in recent attacks. One vulnerability patched last year, CVE-2024-38475, stands out because it allows unauthenticated attackers to extract from SMA appliances two SQLite databases, temp.db<\/code> and persist.db<\/code>, that store sensitive information, including user account credentials, session tokens, and OTP seed values.<\/p>\n

Although the flaw has been publicly documented and analyzed in detail by researchers as potentially leading to the exposure of admin credentials, GTIG and Mandiant don\u2019t have evidence this is the flaw that was exploited. It is also possible the admin credentials for the appliances were obtained from infostealer malware logs.<\/p>\n

Custom backdoor with reboot persistence<\/h2>\n

What stands out about the attack is the deployment of a user-mode rootkit that persists across device reboots, which Mandiant has dubbed OVERSTEP.<\/p>\n

The attackers first established a VPN connection to the compromised appliance using local admin credentials and then opened a reverse shell on the appliance.<\/p>\n

\u201cShell access should not be possible by design on these appliances, and Mandiant\u2019s joint investigation with the SonicWall Product Security Incident Response Team (PSIRT) did not identify how UNC6148 established this reverse shell,\u201d the researchers wrote. \u201cIt\u2019s possible the reverse shell was established via exploitation of an unknown vulnerability by UNC6148.\u201d<\/p>\n

Following several reconnaissance commands, the attackers exported and then reimported the appliance configuration, including network access control policies for IP addresses they controlled. Finally, a base64-encoded payload was dropped as a file called \/usr\/lib\/libsamba-errors.so.6<\/code> and was added to the \/etc\/ld.so.preload<\/code> list, which contains a list of libraries to load.<\/p>\n

The RC file that controls which processes are started at reboot was modified to ensure that the malware gets added to the running filesystem when the appliance starts. This was achieved by adding code to the bootCurrentFirmware<\/code> function in the rc.fwboot<\/code>. It\u2019s worth noting that these appliances have locked-down filesystems at startup to ensure only legitimate components exist. Admins are not even supposed to have access to the internal operating system.<\/p>\n

The OVERSTEP backdoor, written in C, is specifically designed for SonicWall SMA 100 series appliances. It injects itself into the memory of other processes via the \/etc\/ld.so.preload<\/code> file and then hijacks standard file system functions such as open<\/code>, open64<\/code>, readdir<\/code>, readdir64<\/code>, and write<\/code>. This allows it to hide its components on the system.<\/p>\n

The backdoor\u2019s main purpose is to steal passwords and provide attackers with a reverse shell on the system, through which they can execute additional shell commands.<\/p>\n

\u201cIn our investigations, GTIG observed beaconing traffic from compromised appliances, but we did not identify notable post-compromise activities,\u201d the researchers wrote. \u201cThe actor\u2019s success in hiding their tracks is largely due to OVERSTEP\u2019s capability to selectively delete log entries from httpd.log<\/code>, http_request.log<\/code>, and inotify.log<\/code>. This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor\u2019s secondary objectives.\u201d<\/p>\n

Mitigations<\/h2>\n

Mandiant has tracked the targeting of SMA 100 series appliances by UNC6148 since October 2024. The researchers advise organizations to analyze their SMA 100 series appliances to determine whether they have been compromised, even if they run the latest fully patched version of the firmware.<\/p>\n

This might involve talking with SonicWall about ways to extract disk images from the appliances instead of executing commands directly on them, because they would be subject to interference from the rootkit.<\/p>\n

The GTIG and Mandiant report includes indicators of compromises, including file names and hashes associated with the malware, as well as modifications of several system files. If any of these are found, organizations should isolate the impacted appliance and rotate all credentials that might have been stored on them.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A group of hackers known for stealing enterprise data for extortion purposes has developed a persistent rootkit for SonicWall Secure Mobile Access (SMA) 100 series appliances. The rootkit was seen deployed on end-of-life but fully patched SMA 100 appliances with the help of administrative credentials likely obtained in past compromises. \u201cGTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14460","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14460"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14460\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}