Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Mind the Gap
November 22, 2022
In June 2022, Project Zero researcher Maddie Stone gave a talk at FirstCon22 titled 0-day In-the-Wild Exploitation in 2022…so far. A key takeaway was that approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities. This finding is consistent with our understanding of attacker behavior: attackers will ...
- US offshore oil and gas installation at ‘increasing’ risk of cyberattack
November 21, 2022
The US Government Accountability Office (GAO) has warned that the time to act on securing the US’s offshore oil and natural gas installations is now because they are under “increasing” and “significant risk” of cyberattack. A report to Congress looked at a network of “more than 1,600 offshore oil and gas facilities,” which the federal watchdog ...
- Luna Moth Callback Phishing Campaign
November 21, 2022
Unit 42 investigated several incidents related to the Luna Moth/Silent Ransom Group callback phishing extortion campaign targeting businesses in multiple sectors including legal and retail. This campaign leverages extortion without encryption, has cost victims hundreds of thousands of dollars and is expanding in scope. By design, this style of social engineering attack leaves very few artifacts ...
- New ransomware encrypts files, then steals your Discord account
November 20, 2022
The new ‘AXLocker’ ransomware family is not only encrypting victims’ files and demanding a ransom payment but also stealing the Discord accounts of infected users. When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as ...
- More than 17 million control system cyber incidents are hidden in plain sight
November 18, 2022
Control system cyber incidents are more plentiful and impactful than most observers expect – more than 17 million directly resulting in more than 34,000 deaths. While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy. The majority of the 17 million-plus control ...
- Vanuatu: Hackers strand Pacific island government for over a week
November 18, 2022
Vanuatu’s government has been knocked offline for more than 11 days after a suspected cyber-attack on servers in the country. The hack has disabled the websites of the Pacific island’s parliament, police and prime minister’s office. It has also taken down the email system, intranet and online databases of schools, hospitals and other emergency services as well ...