Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Stately Taurus targets the Philippines as tensions flare in the South Pacific
November 17, 2023
Tensions between China and the Philippines have risen sharply over the past several months. Coinciding with these real-world events, Unit 42 researchers observed three Stately Taurus campaigns during the month of August. These campaigns are assessed to have targeted entities in the South Pacific including the Philippines government. The campaigns leveraged legitimate software including Solid PDF ...
- Into The Trash: Analyzing LitterDrifter
November 17, 2023
Gamaredon, also known as Primitive Bear, ACTINIUM, and Shuckworm, is a unique player in the Russian espionage ecosystem that targets a wide variety of almost exclusively Ukrainian entities. While researchers often struggle to uncover evidence of Russian espionage activities, Gamaredon is notably conspicuous. The group behind it conducts large-scale campaigns while still primarily focusing on regional ...
- Scattered Spider
November 16, 2023
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Scattered Spider ...
- Insider Threat: Hunting and Detecting
November 16, 2023
The insider threat is a multifaceted challenge that represents a significant cybersecurity risk to organizations today. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Some are unintentional insiders such as employees who make careless mistakes or fall victim to phishing attacks.Identifying insider threats is becoming increasingly important. Malicious insiders often ...
- Zimbra 0-day used to target international government organizations
November 16, 2023
In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as CVE-2023-37580, TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this ...
- Enhancing Computer Security for Nuclear Safety and Security
November 16, 2023
Nuclear safety and nuclear security share the same objective and vision: to protect individuals, societies and the environment from the potential harmful effects of ionizing radiation. Though the activities that address nuclear safety and nuclear security are different, it is essential to establish a well-coordinated approach to managing their interface. It is important to ensure that ...

