Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Medusa ransomware crew brags about spreading Bing, Cortana source code
April 20, 2023
The Medusa ransomware gang has put online what it claims is a massive leak of internal Microsoft materials, including Bing and Cortana source code. “This leak is of more interest to programmers, since it contains the source codes of the following Bing products, Bing Maps and Cortana,” the crew wrote on its website, which was screenshotted ...
- CISA and Partners Release Cybersecurity Best Practices for Smart Cities
April 19, 2023
Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and ...
- Microsoft SQL servers hacked to deploy Trigona ransomware
April 19, 2023
Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files. The MS-SQL servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials. Read more… Source: Bleeping Computer
- Growth of ‘hackers for hire’ will lead to more attacks and unpredictable threats, UK cyber security agency warns
April 19, 2023
The number of “hackers for hire” is set to grow over the next five years, leading to more cyber attacks and increasingly unpredictable threats, the UK’s cyber security agency has warned. A rise in spyware is also anticipated and other hacking tools, according to a new report by the National Cyber Security Centre (NCSC), which is ...
- Google patches another actively exploited Chrome zero-day
April 19, 2023
Google has released a security update for the Chrome web browser to fix the second zero-day vulnerability found to be exploited in attacks this year. “Google is aware that an exploit for CVE-2023-2136 exists in the wild,” reads the security bulletin from the company. Read more… Source: Bleeping Computer
- Play ransomware gang uses custom Shadow Volume Copy data-theft tool
April 19, 2023
The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow ...