Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Ransomware attack at DaVita impacted 2.7 million people, US health dept website shows
August 21, 2025
A ransomware attack that encrypted certain elements of dialysis firm DaVita’s network impacted 2.7 million people, the U.S. health department’s website showed on Thursday. The firm had disclosed in April that it was hit by a cyberattack. At the time, it said it would continue to provide patient care as it took measures to restore certain ...
- Commvault Releases Security Updates to Address Multiple Vulnerabilities
August 21, 2025
Commvault has released security advisories to address 4 vulnerabilities in Commvault Windows and Linux. Security researchers have demonstrated the ability for these vulnerabilities to be chained together by an unauthenticated remote attacker to perform remote code execution on the Commvault server. CVE-2025-57788 – Unauthorized API Access Risk CVSSv4 6.9 CVE-2025-57789 – Vulnerability in Initial Administrator Login Process CVSSv4 ...
- Orange Belgium informs its customers about a cyberattack
August 20, 2025
At the end of July, Orange Belgium detected a cyberattack on one of its IT systems, resulting in unauthorised access to certain data from 850,000 customer accounts. No critical data was compromised: no passwords, email addresses, bank or financial details were hacked. However, the hacker gained access to one of our IT systems containing the following ...
- FBI: Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
August 20, 2025
The Federal Bureau of Investigation (FBI) is warning the public, private sector, and international community of the threat posed to computer networks and critical infrastructure by cyber actors attributed to the Russian Federal Security Service’s (FSB) Center 16. The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running ...
- Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
August 20, 2025
Organizations continue to grapple with increasingly complex cyberthreats, as ransomware groups rapidly evolve their tactics. In a recent attack wave, the Warlock ransomware group exploited internet-exposed, unpatched on-premise Microsoft SharePoint servers, abusing newly discovered vulnerabilities to gain initial access to their target’s system. Other groups such as Linen Typhoon and Violet Typhoon have also been observed ...
- A clever new Linux malware is breaking into systems and then shutting the door behind it to avoid detection
August 19, 2025
A hacker was recently spotted patching someone’s vulnerable cloud Linux instance – but they did not do it out of the goodness of their heart. Security researchers Red Canary observed a threat actor abusing a maximum severity flaw, tracked as CVE-2023-46604, to break into a cloud Linux system. The vulnerability is found in Apache ActiveMQ, and ...

