Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments

    February 12, 2024

    Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it. Proofpoint researchers detected ...

  • UK: Contact details and national security numbers could have been stolen from Southern Water customers following cyber attack

    February 12, 2024

    The announcement, which went live on Southern Water’s website earlier today (February 12), confirms that ‘a limited part’ of the company’s server estate is at risk following an illegal intrusion earlier this year. Apologising for the breach, a spokesperson confirmed that the company is working with “expert technical advisers to confirm who is at risk,” and ...

  • US Government Accounting Office says it was notified of data breach by IT contractor CGI Federal

    February 12, 2024

    The U.S. Government Accounting Office says it was notified of a data breach by IT contractor GCI Federal. Reuters could not immediately ascertain the size and scope of the breach. The GAO said that about 6,000 people, “primarily current and former GAO employees from 2007 to 2017,” had been affected but did not immediately respond when ...

  • Hackers uncover new TheTruthSpy stalkerware victims

    February 12, 2024

    A consumer-grade spyware operation called TheTruthSpy poses an ongoing security and privacy risk to thousands of people whose Android devices are unknowingly compromised with its mobile surveillance apps, not least due to a simple security flaw that its operators never fixed. Now, two hacking groups have independently found the flaw that allows the mass access of ...

  • Kenya: Cyber attacks on computer systems, mobile apps surge

    February 10, 2024

    Cyber attacks on computer systems and mobile applications recorded the highest increase in the three months to December last year, the latest data from the Communications Authority of Kenya (CA) shows. According to the CA’s Cyber Security report for the period, system attack threats that were detected increased 10-fold compared to the preceding three-month period that ...

  • Ivanti urges customers to patch yet another critical vulnerability

    February 9, 2024

    In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”. This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. Please read ...