Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- BlackByte ransomware abuses legit driver to disable security products
October 5, 2022
The BlackByte ransomware gang is using a new technique that researchers are calling “Bring Your Own Driver,” which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions. Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code ...
- Russian Hackers Reveal List of American Targets for Attack
October 5, 2022
A pro-Russian computer hacking cell announced it will be launching a series of cyber attacks on a number of United States government websites in an apparent response to escalating tensions between the country and the North Atlantic Treaty Organization (NATO). In a Telegram post Wednesday, Killnet, a notorious “hacktivist” group formed at the onset of the ...
- Uncommon infection and malware propagation methods
October 5, 2022
Kaspersky researchers are often asked how targets are infected with malware. Their answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as they will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like PsExec. But that’s it — most ...
- New Android malware ‘RatMilad’ can steal your data, record audio
October 5, 2022
A new Android spyware named ‘RatMilad’ was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim’s conversations. “Similar to other mobile spyware we ...
- NSA, CISA, FBI Warn of Custom Exfiltration Tools Being Used Against Defense Industrial Base Organization
October 4, 2022
FORT MEADE, Md. — The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI released a Cybersecurity Advisory today that details the tactics, techniques and procedures (TTPs) that likely multiple advanced persistent threat (APT) groups recently used to steal sensitive information from a Defense Industrial Base organization. The advisory, “Impacket, ...
- Tracking Earth Aughisky’s Malware and Changes
October 4, 2022
For security researchers and analysts monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth Aughisky (also known as Taidoor) is among the more active units that consistently make security teams vigilant. Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan ...