Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- SMS PVA Part 2: Underground Service for Cybercriminals
February 27, 2022
In part one, Trend Micro researchers extensively discussed SMS PVA and started investigating a particular service called ReceiveCode that our team first found on a Facebook advertisement. ReceiveCode offers users access to SMS code verification sent to mobile numbers that the company has in their storage. Customers simply need to sign up to their customer-facing portal, ...
- Nvidia probes cyberattack on internal systems
February 26, 2022
Nvidia is probing what may be a ransomware infection that caused outages within its internal network. The malware is said to have taken hold in the past two days, knocking down email and developer systems. The GPU giant continues to investigate. In a statement, an Nvidia spokesperson told The Register on Friday: “Our business and commercial activities continue uninterrupted. ...
- Destructive Malware Targeting Organizations in Ukraine
February 26, 2022
Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable. On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to ...
- TrickBot malware operation shuts down, devs move to stealthier malware
February 25, 2022
The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families. TrickBot is a notorious Windows malware infection that has dominated the threat landscape since 2016. The malware is commonly installed via malicious phishing emails or other malware, and will ...
- Ransomware groups and hacktivist collective are getting involved in the military conflict between Ukraine and Russia
February 25, 2022
Multiple ransomware groups and members of the hacktivist collective Anonymous announced this week that they are getting involved in the military conflict between Ukraine and Russia. On Thursday, members of Anonymous announced on Twitter that they would be launching attacks against the Russian government. The hacktivists defaced some local government websites in Russia and temporarily took ...
- Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
February 24, 2022
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting ...