Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Conti ransomware group’s source code leaked
March 2, 2022
Infamous ransomware group Conti is now the target of cyberattacks in the wake of its announcement late last week that it fully supports Russia’s ongoing invasion of neighboring Ukraine, with the latest hit being the leaking of its source code for the public to see. This disclosure comes just days after an archive leaked containing more ...
- SMS PVA Part 3: Countries Most Impacted by Service
March 2, 2022
Part two of our blog entry discussed the impacts and implications of SMS PVA services. The article also explored how these services work by using Carousell as an example. Moreover, it discussed the “benefits” of SMS PVA services to cybercriminals. In the final installation of our series, we’ll discuss relevant statistics and recommendations to mitigate the ...
- TeaBot Android Banking Trojan continues its global conquest with new upgrades
March 2, 2022
The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on “smishing” to more advanced tactics. Smishing attacks are used to compromise mobile handsets via spam text messages ...
- DDoS attackers have found this new trick to knock over websites
March 2, 2022
Distributed denial of service (DDoS) attackers are using a new technique to knock websites offline by targeting vulnerable ‘middleboxes’, such as firewalls, to amplify junk traffic attacks. Amplification attacks are nothing new and have helped attackers knock over servers with short busts of traffic as high as 3.47 Tbps. Microsoft last year mitigated attacks on this ...
- Hackers Become the Hacked: Anonymous’ Site Taken Down Following Declaration of ‘Cyberwar’ on Russia
March 1, 2022
The Anonymous hacker collective began attacking the Russian segment of the internet Friday in connection with the situation in Ukraine, targeting websites of Russian businesses, media, the military and various government agencies. A hacking group called Killnet claims to have brought down a key website affiliated with Anonymous, as well as the neo-Nazi Ukrainian Right Sector ...
- Second data-wiping malware found in Ukraine, says ESET
March 1, 2022
The disk-wiping malware that tore through at least hundreds of Ukrainian Windows systems at the start of Russia’s occupation wasn’t alone. Slovakian infosec firm ESET has found a second similar strain in Ukraine. “Malware artefacts suggest that the attacks had been planned for several months,” said the biz. Last week, as the Russian armed forces invaded ...