Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report
June 22, 2022
CISA is aware that Forescout researchers have released OT:ICEFALL, a report on 56 vulnerabilities caused by insecure-by-design practices in operational technology across multiple vendors. The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality. CISA has released six corresponding ...
- Keeping PowerShell: Security Measures to Use and Embrace
June 22, 2022
Cybersecurity authorities from the United States, New Zealand, and the United Kingdom recommend proper configuration and monitoring of PowerShell, as opposed to removing or disabling PowerShell entirely. This will provide benefits from the security capabilities PowerShell can enable while reducing the likelihood of malicious actors using it undetected after gaining access into victim networks. The ...
- Critical PHP flaw exposes QNAP NAS devices to RCE attacks
June 22, 2022
QNAP has warned customers today that most of its Network Attached Storage (NAS) devices are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution. “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to ...
- Yodel blames cyber incident for disruption and parcel-tracking problems
June 22, 2022
Delivery company Yodel is experiencing service delays because of what it describes as a “cyber incident” affecting customer services and parcel tracking. “Yodel has experienced a cyber incident that has caused some disruption. We are servicing customers but tracking is currently impacted,” a Yodel spokesperson told ZDNet. “As soon as we detected the incident, we launched an ...
- An unknown APT actor attacking high-profile entities in Europe and Asia
June 21, 2022
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly ...
- Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware
June 21, 2022
The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons. The APT28 hacking group is believed to be sending emails containing a malicious document name “Nuclear Terrorism A Very Real Threat.rtf.”. The threat ...