Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Cyber attack on councils across Greater Manchester leaves thousands vulnerable to phishing scam
August 14, 2024
A cyber attack on councils across Greater Manchester has left thousands of residents vulnerable to a phishing scam. The attack, which initially hit one borough last week and spread over the weekend, on software company Locata downed the housing websites for Manchester, Salford and Bolton councils. It has also led to thousands of users being sent ...
- EastWind campaign: new CloudSorcerer attacks on government organizations in Russia
August 14, 2024
In late July 2024, we detected a series of ongoing targeted cyberattacks on dozens of computers at Russian government organizations and IT companies. The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download ...
- New Windows Cyber Attacks Confirmed – CISA Says Update By September 3
August 14, 2024
Microsoft has released the monthly round of Patch Tuesday security updates, with fixes for a total of 90 vulnerabilities across the Windows ecosystem. Of these, the Microsoft Security Response Center warns that five Windows vulnerabilities have confirmed and active cyber attacks against them already. So serious are these zero-day security issues that the U.S. Cybersecurity and ...
- Turkish intelligence dismantles global cyber espionage network
August 13, 2024
The Turkish National Intelligence Organization (MIT) has successfully dismantled a global cyber espionage network that had stolen personal data from thousands of individuals worldwide, including in Türkiye. In a coordinated effort with the Turkish Gendarmerie General Command and the National Cyber Incident Response Center (USOM), MIT carried out the operation as part of an investigation led ...
- Musk Blames DDoS Attack For 40-Minute Delayed Start to Trump’s X Livestream
August 13, 2024
Technical difficulties delayed former President Donald Trump’s live conversation with Elon Musk on X by over 40 minutes. Musk blamed the issues on a distributed denial-of-service (DDoS) cyberattack, in which a bad actor seeks to overload a target server with traffic, rendering it unusable. His claims could not be verified. “We unfortunately had a massive distributed ...
- ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts
August 13, 2024
This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments. This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws ...

