Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Ukrainian cops nab suspects accused of stealing $4.3m from victims across Europe
April 1, 2023
Ukrainian cops have arrested two suspects and detained 10 others for their alleged roles in a cybercrime gang that used phishing scams and phony online marketplaces to steal more than $4.3 million from over 1,000 victims across Europe. The fraudsters created more than 100 phishing sites to obtain victims’ bank card information and access their accounts, ...
- CVE-2023-23397 – Microsoft Outlook Privilege Escalation
March 31, 2023
On March 14, 2023, Microsoft released a patch for CVE-2023-23397. CVE-2023-23397 is a vulnerability in the Windows Microsoft Outlook client that can be exploited by sending a specially crafted email that triggers automatically when it is processed by the Outlook client. No user interaction is required to trigger the exploit. Exploitation of the vulnerability will leak ...
- Mac Malware MacStealer Spreads as Fake P2E Apps
March 30, 2023
Trend Micro researchers analyzed a Mac malware called MacStealer (detected by Trend Micro as TrojanSpy.MacOS.CpypwdStealer.A), a cryptocurrency wallet and information stealer disguised as a plagiarized version of a legitimate play-to-earn (P2E) game app. We posted a warning for users to avoid this threat early; this article discusses the technical details of the malware and the ...
- CISA Adds Ten Known Exploited Vulnerabilities to Catalog
March 30, 2023
CISA has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2013-3163 Microsoft Internet Explorer Memory Corruption Vulnerability CVE-2014-1776 Microsoft Internet Explorer Memory Corruption Vulnerability CVE-2017-7494 Samba Remote Code Execution Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- Supply Chain Attack Against 3CXDesktopApp
March 30, 2023
CISA is aware of open-source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app. CISA urges users and organizations to review the following reports for more information, ...
- Millions of Australians Caught Up in Cyber Attacks
March 29, 2023
One of Australia’s biggest property companies said Wednesday it had been hit by cybercriminals who may have stolen data about staff and guests. Staff members at Meriton, a large Australian property business, were warned Wednesday that cybercriminals may have accessed details of their bank accounts and details of their salaries, disciplinary history and performance appraisals. Read more… Source: ...