Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors

    November 21, 2023

    Unit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. The research team call the first campaign “Contagious Interview,” where threat actors pose as employers (often anonymously or with vague identities) to lure software developers into ...

  • U.S. DOD strategy warns emerging tech is ‘at the forefront’ of information threats

    November 21, 2023

    The Pentagon publicly released its strategy for operating in the information environment – which covers both physical and digital sources of information – on Friday, outlining how the agency plans to modernize its collecting, processing and sharing of data to better counteract adversaries’ weaponization of the internet and emerging technologies. DOD “must embrace a cultural shift ...

  • SysAid path traversal vulnerability

    November 21, 2023

    SonicWall Capture Labs Threat Research Team became aware of the SysAid path traversal vulnerability, assessed its impact and developed mitigation measures for the vulnerability. On November 8, 2023, SysAid, an IT service management company, disclosed CVE-2023-47426, which is a zero-day path traversal vulnerability carrying a CVSS 9.8 score and affecting on-premise SysAid servers running version < ...

  • #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

    November 21, 2023

    The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix ...

  • A Comparative Study on Linux and Windows Ransomware Attacks

    November 21, 2023

    During the last few months, CheckPoint researchers conducted a study of some of the top ransomware families (12 in total) that either directly developed ransomware for Linux systems or were developed in languages with a strong cross-platform component, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux indiscriminately. The ...

  • When Maximum Effort Doesn’t Equate to Maximum Results

    November 21, 2023

    It’s no secret that security teams are feeling beleaguered as a result of the barrage of data, events, and alerts generated by their security tools, to say nothing of the increased budget scrutiny and constrained staff resources that continue to plague cybersecurity practitioners. The trick is finding the right balance between how much internal teams have ...