Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- FBI: Scammers Exploit Security Weaknesses on Job Recruitment Websites to Impersonate Legitimate Businesses, Threatening Company Reputation and Defrauding Job Seekers
February 1, 2022
The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial ...
- Update now: Samba prior to 4.13.17 hit with remote root code execution bug
February 1, 2022
Samba has fixed a vulnerability in all versions of its software prior to version 4.13.17 that allowed for a remote actor to execute code as root, thanks to an out-of-bounds heap read write vulnerability. “The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write ...
- Powerful new Oski variant ‘Mars Stealer’ grabbing 2FAs and crypto
February 1, 2022
A new and powerful malware named ‘Mars Stealer’ has appeared in the wild, and appears to be a redesign of the Oski malware that shut down development abruptly in the summer of 2020. Mars Stealer is an information-stealing malware that steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. Additionally, ...
- Shell forced to reroute supplies after cyberattack on two German oil companies
February 1, 2022
A cyberattack on two German oil suppliers has forced energy giant Shell to reroute oil supplies to other depots, according to Reuters and the Handelsblatt newspaper. Handelsblatt was the first to report on Monday that oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, had suffered a cyberattack that crippled ...
- Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
January 31, 2022
MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia. A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). Cisco Talos recently observed a campaign operated ...
- Potential for Malicious Cyber Activities to Disrupt the 2022 Beijing Winter Olympics and Paralympics
January 31, 2022
The FBI is warning entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events. These activities include distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider ...