Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Indian hackers launch cyber attacks on Qatar to avenge death penalty of former Navy officers

    November 8, 2023

    An Indian hacker group, named ‘Indian Cyber Force’ launched cyber attacks on Qatar in response to the death sentence handed to eight former Indian Navy officers by a Qatari court in Espionage case. The Indian hackers claimed of carrying out cyber attacks on Qatar on November 7. They also alleged of executing unauthorised server access, leaked ...

  • Personal data of 665,000 Marina Bay Sands lifestyle rewards members accessed in data security breach

    November 7, 2023

    The personal data of 665,000 Marina Bay Sands customers was accessed in a data security breach in October. The “unauthorised access” took place on Oct 19 and Oct 20 and involved the data of some Sands LifeStyle rewards programme members, said a Marina Bay Sands (MBS) spokesperson on Tuesday (Nov 7). MBS said in response ...

  • Okta breach happened after employee logged into personal Google account

    November 7, 2023

    Okta has revealed details about a recent breach which exposed files belonging to customers. As Malwarebytes explained in their article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot ...

  • Gaming-related cyberthreats in 2023: Minecrafters targeted the most

    November 6, 2023

    The gaming industry continues growing. The Newzoo report for 2023 reveals that two in five – more than three billion – across the globe are gamers, which is 6.3 percent more than last year. Globally, gaming revenue amounts to an estimated US$242.39 billion, with almost half of that generated by the Asia Pacific. By the ...

  • Rapid7 Observed Exploitation of Atlassian Confluence CVE-2023-22518

    November 6, 2023

    As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server. Atlassian published an advisory for the vulnerability ...

  • Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors

    November 6, 2023

    Unit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October 2023, targeting the education and technology sectors in Israel. The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property. Once the attackers stole the information, they ...