Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor


Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.

GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.

Read more…
Source: Mandiant/GTG


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • A proxyjacking campaign is looking for vulnerable SSH servers

    June 30, 2023

    A researcher at Akamai has posted a blog about a worrying new trend -proxyjacking – where criminals sell your bandwidth to a third-party proxy service. To understand how proxyjacking works, we’ll need to explain a few things. There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. ...

  • Cyberattack knocks out satellite communications for Russian military

    June 30, 2023

    Dozor-Teleport, the satellite system’s operator, switched some users to terrestrial networks during the outage, according to JD Work, a cyberspace professor at the National Defense University. Analyst Doug Madory of Kentik, which monitors online traffic, said one network was taken over by Dozor’s parent company, Amtel-Svyaz, while three others remained down. The company did not release ...

  • CISA: DoS and DDoS Attacks against Multiple Sectors

    June 30, 2023

    CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible. If you think you or your business is experiencing a DoS or DDoS attack, it ...

  • New technique can defeat voice authentication “after only six tries”

    June 30, 2023

    Voice authentication is back in the news with another tale of how easy it might be to compromise. University of Waterloo scientists have discovered a technique which they claim can bypass voice authentication with “up to a 99% success rate after only six tries”. In fact this method is apparently so successful that it is said ...

  • UK: Hacking gang BlackCat says it stole data trove from the Barts Health NHS Trust

    June 30, 2023

    A gang of cybercriminals says it has breached one of the UK’s largest hospital groups and is threatening to publish a trove of its confidential data. The gang, known as ALPHV or BlackCat, posted a statement on Friday claiming it had obtained seven terabytes of internal documents from the Barts Health NHS Trust, which manages five ...

  • CISA Releases Nine Industrial Control Systems Advisories

    June 29, 2023

    CISA released nine Industrial Control Systems (ICS) advisories on June 29, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-180-01 Delta Electronics InfraSuite Device Master ICSA-23-180-02 Schneider Electric EcoStruxure ICSA-23-180-03 Ovarro TBox RTUs Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency