Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Excel File Deploys Cobalt Strike at Ukraine

    June 3, 2024

    FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious “Cobalt Strike” payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful ...

  • UK: The Princess of Wales’s hospital data breach not referred to police due to suspected ‘decoy’ plan

    June 3, 2024

    The Princess of Wales’s hospital data breach has not been referred to police as an expert explains that a “decoy” plan could have been in use – meaning her actual medical files were not accessed by the perpetrators. Despite Health Minister Maria Caulfield revealing back in March that the police had been asked to look into ...

  • Inside The Box: Malware’s New Playground

    June 3, 2024

    Over the past few months, we have been monitoring the increasing abuse of BoxedApp products in the wild. BoxedApp products are commercial packers that provide advanced features such as Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). Even though BoxedApp has been commercially available for a while, ...

  • Ticketmaster confirms customer data breach

    June 1, 2024

    Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach. In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation. ...

  • Santander data breach: 30m account and credit card details up for sale on dark web

    June 1, 2024

    According to reports, Santander customer and staff data has been put up for sale on the dark web. The details relate to the data leak reported earlier in May. Data leaked included HR details for staff, 30m customers’ bank account details, and 28m credit card numbers. The bank, which is the eurozone’s second-largest lender, has around ...

  • BBC cyber attack exposes details of 25,000 current and former staff

    May 30, 2024

    The personal data of more than 25,000 former and current BBC employees has been exposed in a major cyber attack targeting the broadcaster’s pension scheme. Information including names, addresses and National Insurance numbers was compromised after files containing personal details were stolen from a cloud data storage service earlier this month. It is not yet known who ...