Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Chaos ransomware hits Optima Tax Relief, leaks 69GB of data

    June 21, 2025

    Cyberattacks on financial service providers are no longer isolated events. In recent years, tax preparation companies, accounting software vendors and data brokers have all found themselves in the crosshairs of increasingly aggressive ransomware gangs. These attacks don’t just disrupt operations but also expose deeply personal financial information that can fuel identity theft, fraud and long-term reputational ...

  • Resurgence of the Prometei Botnet

    June 20, 2025

    In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the ...

  • Canadian Centre for Cyber Security/FBI: People’s Republic of China cyber threat activity

    June 20, 2025

    The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) are warning Canadians of the threat posed by People’s Republic of China (PRC) state-sponsored cyber threat actor tracked in industry reporting as Salt Typhoon. The Cyber Centre previously joined our partners in warning that PRC cyber actors have compromised ...

  • M&S cyber attack deepens as tech partner TCS denies blame

    June 20, 2025

    Tata Consultancy Services (TCS), the tech firm at the centre of speculation around the M&S cyber attack, has claimed that none of its systems or users were compromised in the incident. The statement, delivered at the company’s annual shareholder meeting, is the first public comment from the group since M&S was hit by a major cyber ...

  • Cybercriminals breach Aflac as part of hacking spree against US insurance industry

    June 20, 2025

    Cybercriminals have breached insurance giant Aflac, potentially stealing Social Security numbers, insurance claims and health information, the company said Friday, the latest in a spree of hacks against the insurance industry. With billions of dollars in annual revenue and tens of millions of customers, Aflac is the biggest victim yet in the ongoing digital assault on ...

  • Iranian missile strikes tech park housing Microsoft office in Israel’s Beer Sheva

    June 20, 2025

    First responders are searching buildings for people wounded after an Iranian missile struck close to a tech park in the Israeli city of Beer Sheva, according to Israel’s emergency services agency Magen David Adom (MDA). MDA said they found six people who were slightly injured as a result of the strike, as they continue to search ...