Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • New Agent Tesla Variant Being Spread by Crafted Excel Document

    September 5, 2023

    FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS). FortiGuard Labs researcher Xiaopeng Zhang performed an in-depth analysis of this campaign, from the initial phishing email to ...

  • CISA Releases Two Industrial Control Systems Advisories

    September 5, 2023

    CISA released two Industrial Control Systems (ICS) advisories on September 5, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-248-01 Fujitsu Limited Real-time Video Transmission Gear IP series Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency  

  • South Africa: Unprecedented cyber attacks target government entities

    September 5, 2023

    The incidence of spyware attacks has shown a significant surge of over 20% within South Africa with regard to 2023. The majority of these reported attacks have been concentrated on governmental websites and systems, thereby potentially engendering substantial instability to the national security framework of South Africa. The foundational principle of national security mandates that a ...

  • UK: Electoral Commission failed basic security test before hack

    September 5, 2023

    The Electoral Commission has confirmed it failed a basic cyber-security test around the same time hackers gained entry to the organisation. A whistleblower told the BBC that the Commission was given an automatic fail during a Cyber Essentials audit. Last month the Commission revealed that “hostile actors” accessed its emails and potentially the data of 40 ...

  • German Banking Regulator BaFin’s Website Hit by Cyber Attack

    September 4, 2023

    German banking regulator BaFin said its website has only been partially accessible since Friday after a so-called distributed denial of service attack. BaFin took security and defensive measures after the attack which also restrict access to the website, according to a spokeswoman. All of BaFin’s other systems are working without disruption, she said. Read more… Source: Yahoo! News  

  • Sweden: Significant increase in cyberattacks and they’re more advanced

    September 4, 2023

    Cyberattacks against Swedish authorities have increased in number and are more protracted and advanced, according to an investigation by Swedish Radio News. The Social Insurance Agency, Försäkringskassan, has seen such attacks double over three years, it says. Read more… Source: Radio Sweden