Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- A Confession Exposes India’s Secret Hacking Industry
June 1, 2023
In the summer of 2020, Jonas Rey, a private investigator in Geneva, got a call from a client with a hunch. The client, the British law firm Burlingtons, represented an Iranian-born American entrepreneur, Farhad Azima, who believed that someone had hacked his e-mail account. Azima had recently helped expose sanctions-busting by Iran, so Iranian hackers ...
- Progress Software Releases Security Advisory for MOVEit Transfer
June 1, 2023
Progress Software has released a security advisory for a SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take over an affected system. CISA urgers users and organizations to review the MOVEit Transfer Advisory. Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media
June 1, 2023
The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), are jointly issuing this advisory to highlight the use of social engineering by Democratic People’s Republic of Korea ...
- Warning issued over ‘widespread’ exploitation of Zyxel NAS devices
June 1, 2023
Security researchers at two companies have issued warnings over ‘widespread’ exploitation of Zyxel network devices. Researchers at Rapid7 raised the alarm over the ongoing exploitation of a critical authenticated command injection vulnerability, tracked as CVE-2023-28771, that was found to affect multiple Zyxel devices. Read more… Source: ITPro
- Operation Triangulation: iOS devices targeted with previously unknown malware
June 1, 2023
While monitoring its own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), Kaspersky researchers noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, researchers created offline backups of the devices in question, inspected them using the ...
- New Horabot campaign targets the Americas
June 1, 2023
Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020. The threat actor appears to be targeting Spanish-speaking users in the Americas and, based on ...

