Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519)
July 20, 2023
Security and networking devices are “edge devices,” meaning they are connected to the internet. If an attacker is successful in exploiting a vulnerability on these appliances, they can gain initial access without human interaction, which reduces the chances of detection. As long as the exploit remains undiscovered, the threat actor can reuse it to gain access ...
- Google says Apple employee found a zero-day but did not report it
July 20, 2023
Google fixed a zero-day in Chrome that was found by an Apple employee, according to comments in the official bug report. While the bug itself is not newsworthy, the circumstances of how this bug was found and reported to Google are, to say the least, peculiar. According to a Google employee, the bug was originally found ...
- KillNet Showcases New Capabilities While Repeating Older Tactics
July 20, 2023
In early 2022, Mandiant predicted that Russian cyber threat activity associated with the invasion of Ukraine would affect government and private sector targets in third-party countries, particularly neighboring countries, North Atlantic Treaty Organization (NATO) allies, and other nations voicing support for Ukraine. Russian government-linked actors have historically employed false hacktivist facades as a means of ...
- A nasty Google Cloud bug could let hackers use it to launch attacks
July 20, 2023
Cybersecurity researchers from Orca Security have uncovered a new bug in the Google Cloud Build service which could allow threat actors to gain almost full access to Google Artifact Registry code repositories. The repercussions of the flaw, the researchers are saying in their report, are quite dire. The researchers named the vulnerability Bad.Build, saying it allows ...
- CISA Releases Cybersecurity Advisory on Threat Actors Exploiting Citrix CVE-2023-3519
July 20, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells, to warn organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a ...
- North Korea-backed hackers breached JumpCloud to target cryptocurrency clients
July 20, 2023
North Korean state-backed hackers breached U.S. enterprise software company JumpCloud to target its cryptocurrency clients, security researchers said on Thursday. JumpCloud, a directory platform that allows enterprises to authenticate, authorize and manage users and devices, said this week that a nation-state actor was behind a June breach of its systems that forced the company to reset ...

