Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Financial cyberthreats in 2022
March 29, 2023
Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a ...
- Copy-paste heist or clipboard-injector attacks on cryptousers
March 28, 2023
It is often the case that something new is just a reincarnation of something old. Kaspersky reasearchers have come across a series of clipboard injection attacks on cryptocurrency users, which emerged starting from September 2022. Although they have written about a similar malware attack in 2017 in one of our blogposts, the technique is still ...
- To pay or not to pay – that’s the question as ransomware attacks rise
March 28, 2023
There is rarely a day that goes by when there isn’t a major local, national or international story about a well know organisation being hit by a cyber attack that has huge potential to disrupt the business and damage their brand. In the past few weeks alone we’ve seen Eurovision fans in a panic after Booking.com ...
- APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
March 28, 2023
Mandiant researchers released a report on APT43, a prolific threat actor operating on behalf of the North Korean regime that they have observed engaging in cybercrime as a way to fund their espionage operations. According to Mandiant they track tons of activity throughout the year, but don’t always have enough evidence to attribute it to a ...
- Crown Resorts confirms ransom demand after GoAnywhere breach
March 28, 2023
Crown Resorts, Australia’s largest gambling and entertainment company, has confirmed that it suffered a data breach after its GoAnywhere secure file-sharing server was breached using a zero-day vulnerability. The Blackstone-owned company has an annual revenue that surpasses $8 billion and operates complexes in Melbourne, Perth, Sydney, Macau, and London. Read more… Source: Bleeping Computer
- The criminal use of ChatGPT – a cautionary tale about large language models
March 27, 2023
Their insights are compiled in Europol’s first Tech Watch Flash report published today. Entitled ‘ChatGPT – the impact of Large Language Models on Law Enforcement’, this document provides an overview on the potential misuse of ChatGPT, and offers an outlook on what may still be to come. Read more… Source: Europol