Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Ukraine says 2,000 computers of state firm were impacted in cyber attack

    February 1, 2024

    Ukraine’s state computer emergency response team CERT-UA said on Thursday around 2,000 computers had been affected in the recent cyber attack on an unnamed state-run company. “As part of the detailed study of the cyber threat, the obtained malware samples were examined, the peculiarities of the functioning of the infrastructure of control servers were established, and ...

  • Volt Typhoon Actors Exploiting Insecure SOHO Routers

    January 31, 2024

    Threat actors—particularly the People’s Republic of China (PRC)—sponsored Volt Typhoon group—are compromising small office/home office (SOHO) routers by exploiting software defects that manufacturers must eliminate through secure software design and development. Specifically, Volt Typhoon actors are exploiting security defects in SOHO routers to use them as launching pads to further compromise U.S. critical infrastructure entities. CISA ...

  • Czech cyber security agency reports record number of attacks in 2023

    January 31, 2024

    Czechia’s National Cyber and Security Information Agency says it registered a record number of cyber-attacks last year. The state organisation said on its website on Wednesday that it had recorded 262 such attacks in 2023, compared to 146 the previous year. The agency said the increase was mainly due to repeated waves of DDoS attacks led ...

  • Hackers obtain confidential information on Romanian officials after cyber attack at Parliament

    January 31, 2024

    Hackers breached the database of the Romanian Chamber of Deputies, the lower house of the Parliament, after a recent cyber attack. They reportedly managed to obtain confidential information, such as the prime minister’s identity documents, medical analyses, and other personal data.  The hackers threatened to release the personal data of the deputies if they did not ...

  • Series of cyber attacks risks sensitive data at New Jersey schools, hospitals

    January 30, 2024

    Class was canceled Monday across the Freehold Township school district, but not for the familiar January troubles of slushy roads, frozen pipes or a busted boiler. No, this was “a cybersecurity event” that ground school business to a halt. District officials disclosed little about what happened, assuring parents in an email they “retained outside IT expert consultants ...

  • Sustainability Business Division of Schneider Electric Responds to Cybersecurity Incident

    January 29, 2024

    On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. The attack has impacted Resource Advisor and other division specific systems. Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and to reinforce existing security measures. Sustainability Business division has informed impacted customers. Read more… Source: ...