Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Hackers use Golang source code interpreter to evade detection
January 24, 2023
A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral ...
- Apple fixes actively exploited iOS zero-day on older iPhones, iPads
January 23, 2023
Apple has backported security patches addressing a remotely exploitable zero-day vulnerability to older iPhones and iPads. This bug is tracked as CVE-2022-42856, and it stems from a type confusion weakness in Apple’s Webkit web browser browsing engine. Read more… Source: Bleeping Computer
- FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft
January 23, 2023
The FBI continues to combat malicious cyber activity, including the threat posed by the Democratic People’s Republic of Korea (DPRK) to the U.S. and our private sector partners. Through our investigation, we were able to confirm that the Lazarus Group (also known as APT38), cyber actors associated with the DPRK, are responsible for the theft ...
- CISA Adds One Known Exploited Vulnerability to Catalog
January 23, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the ...
- Russia’s largest ISP says 2022 broke all DDoS attack records
January 23, 2023
Russia’s largest internet service provider Rostelecom says 2022 was a record year for Distributed denial of service attacks (DDoS) targeting organizations in the country. DDoS attacks are cyberattacks aimed at making an internet-connected website or service unavailable by overwhelming it with many requests that deplete the server’s ability to accept new connections, causing the service to ...
- Hacker finds copy of TSA no-fly list on exposed cloud storage
January 22, 2023
A copy of the U.S. Transportation Security Administration’s “no-fly list” has been found by a Swiss hacker exposed on the open internet in yet another case of misconfigured cloud storage. First reported by The Daily Dot, the exposure of the database was found by a Swiss hacker known as “maia arson crimew” on a server run ...