Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Tor Browser and Firefox users should update to fix actively exploited vulnerability

    October 16, 2024

    Mozilla has announced a security fix for its Firefox browser which also impacts the closely related Tor Browser. The new version fixes one critical security vulnerability which is reportedly under active exploitation. To address the flaw, both Mozilla and Tor recommend that users update their browsers to the most current versions available. Firefox users that have ...

  • How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends

    October 15, 2024

    Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While ...

  • Westpac and St George customers report third day of difficulties accessing internet banking

    October 15, 2024

    Westpac and subsidiaries including St George, Bank of Melbourne and BankSA have been hit by a string of outages. The bank said services were restored on Wednesday afternoon, but some customers continued to report disruptions. Treasurer Jim Chalmers says the government has been in contact with Westpac and described the internet and mobile banking issues as ...

  • Beyond the Surface: the evolution and expansion of the SideWinder APT group

    October 15, 2024

    SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, ...

  • Sri Lanka arrests over 230 Chinese in cybercrime raids

    October 15, 2024

    Sri Lankan police have arrested more than 230 Chinese men accused of targeting international banks in online scams, the foreign minister said on Tuesday (Oct 15), with help from security officials sent by Beijing. Vijitha Herath said police raids over the past week had also seized 250 computers and 500 mobile phones used in the alleged ...

  • Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability.

    October 15, 2024

    In September 2024, threat intelligence experts from the Positive Technologies Security Expert Center (PT ESC) discovered an email sent to a governmental organization belonging to a CIS country. Timestamps indicate that the email was sent back in June 2024. The email appeared to be a message without text, containing only an attached document. However, the email ...