Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Foreign spy conducts cyberattacks against China’s defense, high-tech firm

    November 27, 2023

    China’s Ministry of State Security (MSS) disclosed a new case on Monday of foreign espionage activities involving the recruitment of a Chinese software developer who provided “technical services.” This spy agency used “poisoned” software to conduct cyberattacks and steal secrets from dozens of China’s defense and high-tech enterprises. Wang, a Chinese engineer in the network technology ...

  • The Dark Side of AI: Large-Scale Scam Campaigns Made Possible by Generative AI

    November 27, 2023

    Generative artificial intelligence technologies such as OpenAI’s ChatGPT and DALL-E have created a great deal of disruption across much of our digital lives. Creating credible text, images and even audio, these AI tools can be used for both good and ill. That includes their application in the cybersecurity space. Read more… Source: Sophos  

  • New ransomware-as-a-service caters to cybercriminals with commercial expansion

    November 23, 2023

    New evidence suggests that the popular Play ransomware is now being rented out to cybercriminals. Known as ransomware-as-a-service (RaaS), cybercriminals can pay to use the malware itself alongside the infrastructure needed to pull off an attack.This is a relatively new phenomenon and can provide a steady stream of revenue for malicious cyber gangs. Read more… Source: MSN News  

  • Q3 2023 in Review: DDoS Attacks Report by StormWall

    November 23, 2023

    StormWall researchers observed that attacks have grown by 43% compared to Q3 2022. Over the past quarter, and according to the analysis conducted by the team, there have been three main trends affecting the surge in DDoS attacks: The number of multi-vector attacks has increased There’s been a significant spike in attacks that target multiple protocols or ...

  • Israel-Hamas war spotlight: Shaking the rust off SysJoker

    November 23, 2023

    Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Check Point assessment is that these were used in targeted attacks ...

  • HrServ – Previously unknown web shell used in APT attack

    November 22, 2023

    In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Kaspersky analysis of the sample led to the discovery of related variants compiled in 2021, indicating a potential correlation between ...