Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- “Reprompt” attack lets attackers steal data from Microsoft Copilot
January 15, 2026
Researchers found a method to steal data which bypasses Microsoft Copilot’s built-in safety mechanisms. The attack flow, called Reprompt, abuses how Microsoft Copilot handled URL parameters in order to hijack a user’s existing Copilot Personal session. Copilot is an AI assistant which connects to a personal account and is integrated into Windows, the Edge browser, and ...
- DeadLock Ransomware: Smart Contracts for Malicious Purposes
January 15, 2026
DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of ...
- Microsoft disrupts global cybercrime subscription service responsible for millions in fraud losses
January 14, 2026
Today, Microsoft is announcing a coordinated legal action in the United States and, for the first time, the United Kingdom to disrupt RedVDS, a global cybercrime subscription service fueling millions in fraud losses. These efforts are part of a broader joint operation with international law enforcement, including German authorities and Europol, which has allowed Microsoft and ...
- Phishing scammers are posting fake “account restricted” comments on LinkedIn
January 14, 2026
Recently, fake LinkedIn profiles have started posting comment replies claiming that a user has “engaged in activities that are not in compliance” with LinkedIn’s policies and that their account has been “temporarily restricted” until they submit an appeal through a specified link in the comment. The accounts posting the comments all try to look like official ...
- US cargo tech company publicly exposed its shipping systems and customer data to the web
January 14, 2026
For the past year, security researchers have been urging the global shipping industry to shore up their cyber defenses after a spate of cargo thefts were linked to hackers. The researchers say they have seen elaborate hacks targeting logistics companies to hijack and redirect large amounts of their customers’ products into the hands of criminals, in ...
- Online shoppers at risk as Magecart skimming hits major payment networks
January 14, 2026
Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard. Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming. In the early days, Magecart started as a ...

