Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Chinese cyber attack sparks alert over six year old MS vuln

    August 5, 2024

    The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft vulnerability dating back to 2018 to its Known Exploited Vulnerabilities (KEV) catalogue after evidence emerged that it is being used in an attack chain by the China-backed APT41 advanced persistent threat group. CVE-2018-0824 was first addressed by Microsoft in the May 2018 Patch ...

  • LianSpy: new Android spyware targeting Russian users

    August 5, 2024

    In March 2024, Kaspersky researchers discovered a campaign targeting individuals in Russia with previously unseen Android spyware they dubbed LianSpy. Kaspersky analysis indicates that the malware has been active since July 2021. This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists. The malicious actor behind LianSpy employs multiple ...

  • Operation Giant Financial Storm Under Circuit Breaker Orders

    August 2, 2024

    Since 2022, the BerBeroka group has been mentioned in every annual report released by the QiAnXin Threat Intelligence Center. The group was disclosed by QiAnXin friendly company Trend Micro. QiAnXin researchers have continued to track it under this name after merging internal groups. In fact, BerBeroka is the same as group such as DRBControl and TAG33 . ...

  • Israeli hacker group takes responsibility for reported collapse of Wi-Fi in Iran

    August 2, 2024

    The Israeli hacker group, “We Red Evils Original”, took responsibility for reported WiFi outages in Iran, according to Israeli media on Thursday night. Shortly before reports in Iran, the group posted a message on their Telegram saying, ‘In the coming minutes, we will attack internet systems and providers in Iran. A severe blow is on the ...

  • Fighting Ursa Luring Targets With Car for Sale

    August 2, 2024

    A Russian threat actor Palo Alto Unit 42 track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an ...

  • How “professional” ransomware variants boost cybercrime groups

    August 1, 2024

    Cybercriminals who specialize in ransomware do not always create it themselves. They have many other ways to get their hands on ransomware samples: buying a sample on the dark web, affiliating with other groups or finding a (leaked) ransomware variant. This requires no extraordinary effort, as source code is often leaked or published. With a set ...