Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Ireland: Dept of Foreign Affairs investigating potential cybersecurity incident

    February 29, 2024

    The Department of Foreign Affairs (DFA) has said that it is investigating a potential cybersecurity incident involving its systems. The DFA said that it was notified by Ireland’s National Cyber Security Centre (NCSC) yesterday about the possible security breach and is working closely with the NCSC to establish whether this allegation is authentic. It follows reports ...

  • Cyber attack affects numerous services at most Nebraska state hospital

    February 29, 2024

    The Nebraska Hospital Association said most state hospitals were affected by a cyber attack. The NHA said Change Health Care was hit with the attack on Feb. 21. The technology company assists with things like prior authorizations, insurance verification and patient billing. All of those services are affected. Read more… Source: MSN News  

  • A ransomware gang claims to have hacked nearly 200GB of Epic Games internal data

    February 28, 2024

    A ransomware gang claims to have hacked Epic Games, saying it has nearly 200 gigabytes of internal data. Reportedly, the gang, which goes by the name Mogilevich, posted a message on its darknet leak site giving more information on its claimed leak of the Fortnite and Epic Games Store company. “We have quietly carried out an ...

  • Pennsylvania: Welch plant in North East restarts after cyber attack shuts facility down for 3 weeks

    February 28, 2024

    In a statement provided to the Erie Times-News, the company said: “On Monday, we restarted our spreads production bringing more than 100 employees back to work at our North East plant. We expect additional employees to return to work over the next few days as we get more production lines running. Throughout this disruption, we’ve continued ...

  • Pharma giant Cencora hit by major cyberattack

    February 28, 2024

    Cencora has confirmed suffering a data breach earlier this month which resulted in the theft of sensitive, personal data. Cencora is a drug wholesale company and a contract research firm that was previously known as Amerisource Bergen. It was formed in 2001, after the merger of Bergen Brunswig and AmeriSource. Read more… Source: MSN News  

  • Navigating the Cloud: Exploring Lateral Movement Techniques

    February 28, 2024

    In this post, Unit 42 researchers reseat examine lateral movement techniques, showcasing some that they have observed in the wild within cloud environments. Lateral movement can be achieved by leveraging both cloud APIs and access to compute instances, with access at the cloud level potentially extending to the latter. We explore cloud lateral movement techniques in ...