Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Australia: The Iconic denies responsibility for data breach

    January 10, 2024

    The Iconic has denied responsibility for a series of data breaches that saw Aussies’ bank balances drained of thousands of dollars after their accounts with the retailer were compromised. Earlier this week, news.com.au revealed customers at Australia’s largest online retailer had reported a large number of hacking attempts and security breaches, with bad actors successfully compromising ...

  • Linux devices are under attack by a never-before-seen worm

    January 10, 2024

    For the past year, previously unknown self-replicating malware has been compromising Linux devices around the world and installing cryptomining malware that takes unusual steps to conceal its inner workings, researchers said. The worm is a customized version of Mirai, the botnet malware that infects Linux-based servers, routers, web cameras, and other so-called Internet of Things devices. ...

  • AI aids nation-state hackers but also helps US spies to find them, says NSA cyber director

    January 9, 2024

    Nation state-backed hackers and criminals are using generative AI in their cyberattacks, but U.S. intelligence is also using artificial intelligence technologies to find malicious activity, according to a senior U.S. National Security Agency official. “We already see criminal and nation state elements utilizing AI. They’re all subscribed to the big name companies that you would expect ...

  • Kenya Airways suffers passenger data breach in cyber attack

    January 9, 2024

    Cybercriminals attacked Kenya Airways’ (KQ) information systems and obtained sensitive information, including contact details and identification documents, of passengers and staff of the airline, an authoritative source at KQ has confirmed. The cyber attack, which occurred late last month, led to unauthorised access to police investigation reports, phone numbers, email addresses, and passports of an unspecified ...

  • Deceptive Cracked Software Spreads Lumma Variant on YouTube

    January 8, 2024

    FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. We found and reported on a similar attack method via YouTube in March 2023. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL ...

  • Hundreds of museums hit by cyber attack

    January 8, 2024

    Hundreds of art institutions and museums have been affected by a cyber attack on the Gallery Systems software company, with those impacted having used the software to organise their online archives. Last month, Gallery Systems informed its clients that computers using its software had become encrypted and could no longer operate. They launched an investigation, enlisted ...