Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Payload Trends in Malicious OneNote Samples
May 16, 2024
In this post, Unt 42 researchers look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote ...
- Scammers can easily phish your multi-factor authentication codes – here’s how to avoid it
May 16, 2024
More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. ...
- Cyber crime threatening mining safety
May 16, 2024
A 2022 survey by Ernst & Young found that 71% of respondents in the mining sector had seen an increase in the number of disruptive attacks in the year leading up to the survey. “Leading mining companies in southern Africa are actively implementing digital transformation projects, and the technology used is becoming more complicated. With connected ...
- SugarGh0st RAT Used to Target American Artificial Intelligence Experts
May 16, 2024
Proofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts, including those in academia, private industry, and government service. Proofpoint tracks the cluster responsible for this activity as UNK_SweetSpecter. SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0stRAT, an older commodity trojan typically ...
- Another cyber-attack on Australian healthcare company
May 16, 2024
here’s been another large-scale ransomware data breach of an Australian company…this time at an e-script provider named Medi-Secure. Medi-Secure is a prescription exchange service, which offers electronic prescribing and dispensing of prescriptions. It’s not yet known how many data records have been accessed, but experts warn that many Australians might not even know their details were ...
- Notorious data leak site BreachForums seized by law enforcement
May 15, 2024
BreachForums—probably the largest dark web marketplace for stolen data to be leaked and sold—has been seized by law enforcement.Now, both the regular and the TOR domain of BreachForums are plastered with a message telling visitors the site is now under control of the FBI. Raidforums ran from early 2015 until February 2022. The first iteration of ...

