Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Hackers take over diplomat’s email, target Russian deputy minister
January 12, 2022
Hackers believed to work for the North Korean government have compromised the email account of a staff member of Russia’s Ministry of Foreign Affairs (MID) and deployed spear-phishing attacks against the country’s diplomats in other regions. One of the targets was Sergey Alexeyevich Ryabko, the deputy foreign minister for the Russian Federation, among other things responsible ...
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
January 11, 2022
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored ...
- noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds
January 11, 2022
Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit ...
- Millions of Routers Exposed to RCE by USB Kernel Bug
January 11, 2022
Millions of popular end-user routers are at risk of remote code execution (RCE) due to a high-severity flaw in the KCodes NetUSB kernel module. The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This ...
- Make sure you’re up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out
January 11, 2022
Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. The information was released today by infosec outfit Rapid7. This comes about a month after Sonicwall issued a patch for the security hole, which was discovered and privately disclosed by Rapid7’s Jake Baines to Sonicwall in October. If ...
- LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk
January 11, 2022
Our LoRaWAN security series has so far outlined multiple security flaws, vulnerability issues, and entry vectors that attackers have been known to use. In this fourth part of the series, we talk about an attack vector that, so far, has not attracted much attention: the LoRaWAN stack. Although it is not a typical target, it ...