Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Colorado: Cyber attack hits Fremont County government
August 23, 2022
Fremont County government services are being impacted by a cyber attack that began last week. According to a Facebook post made by Fremont County Emergency Management, county officials became aware of the attack, which was impacting county government systems, on Wednesday, Aug. 17. An incident response team led by Fremont County Emergency Management and the Governor’s Office ...
- New Iranian APT data extraction tool
August 23, 2022
As part of TAG’s mission to counter serious threats to Google and our users, they’ve analyzed a range of persistent threats including APT35 and Charming Kitten, an Iranian government-backed group that regularly targets high risk users. For years, Google TAG have been countering this group’s efforts to hijack accounts, deploy malware, and their use of ...
- French hospital hit by $10M ransomware attack, sends patients elsewhere
August 23, 2022
The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and ...
- Smartphone gyroscopes threaten air-gapped systems, researcher finds
August 23, 2022
An Israeli security researcher known for foiling air gap security measures has published a reminder of just how vulnerable the approaches are to both visual and ultrasonic threats. A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University’s Cyber Security Research Labs, detail new methods for transmitting data ultrasonically to smartphone gyroscopes ...
- LockBit ransomware blames Entrust for DDoS attacks on leak sites
August 22, 2022
The LockBit ransomware operation’s data leak sites have been shut down over the weekend due to a DDoS attack telling them to remove Entrust’s allegedly stolen data. In late July, digital security giant Entrust confirmed a cyberattack disclosing that threat actors had stolen data from its network during an intrusion in June. At the time, BleepingComputer ...
- CISA releases 7 Industrial Control Systems Advisories
August 22, 2022
CISA has released 7 Industrial Control Systems (ICS) advisories on August 23, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-22-235-01 ARC Informatique PcVue ICSA-22-235-02 Delta Industrial Automation DIALink ICSA-22-235-03 myScada Pro ICSA-22-235-05 Measuresoft ScadaPro Server ICSA-22-235-06 ...