Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

    July 7, 2023

    This sophisticated campaign targeting LATAM region employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever ...

  • Telegram has become a window into war

    July 7, 2023

    Since the invasion of Ukraine in February 2022, Telegram has gained an outsize influence on one of the world’s most watched conflicts. “Telegram is fantastic for many, many reasons and for the fact that we’ve managed to see what is happening at such a crucial point in history,” says Jordan Wildon, digital investigator and founder ...

  • The five-day job: A BlackByte ransomware intrusion case study

    July 6, 2023

    As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, they found that the threat actor progressed through the full attack ...

  • Charges filed in cyber attack on East Bay water treatment plant

    July 6, 2023

    A 53-year-old Tracy man is facing federal criminal charges in connection with an alleged attack on the computer systems of a Discovery Bay water treatment plant more than two years ago, according to the U.S. Attorney’s Office. Rambler Gallo was a full-time employee of a private Massachusetts-based company that contracted with Discovery Bay to operate the ...

  • CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants

    July 6, 2023

    Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware ...

  • Japan’s biggest port hit by suspected cyberattack, operations halted

    July 5, 2023

    The Port of Nagoya, Japan’s largest port by total cargo throughput and responsible for handling some of Toyota Motor Corp.’s car exports, has suffered a crippling system glitch, with the port operator saying Wednesday it suspects a cyberattack. As of noon, the port in central Japan remained unable to load and unload containers from trailers. Police ...