Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Ransomware gangs are now rich enough to buy zero-day flaws
November 16, 2021
Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation-states. Knowledge about vulnerabilities and exploits can command a high price on underground forums, because being able to take advantage of them can be very profitable ...
- FBI Email Hoaxer ID’ed by the Guy He Allegedly Loves to Torment
November 16, 2021
Vinny Troia, the cybersecurity researcher mentioned in a fake alert gushed out to thousands of people from the FBI’s own email system on Friday night, has fingered the guy who allegedly pulled off the exploit. Troia – white hat threat hunter, cybercrime investigator and founder of security firms Night Lion Security and its rebranded version, Shadowbyte ...
- Emotet, once the world’s most dangerous malware, is back
November 16, 2021
Emotet, once described as “the world’s most dangerous malware” before being taken down by a major international police operation, is apparently back – and being installed on Windows systems infected with TrickBot malware. Emotet malware provided its controllers with a backdoor into compromised machines, which could be leased out to other groups, including ransomware gangs, to ...
- 200M Adult Cam Model, User Records Exposed in Stripchat Breach
November 16, 2021
A database containing the highly sensitive information on both users and models on the popular adult cam site StripChat were discovered online, left completely unprotected. The data exposure puts models and users at risk of extortion, violence and more. Stripchat is a popular site founded in 2016 and based in Cyprus that sells live access to ...
- MosesStaff attacks organizations with encryption malware: No payment demand made
November 16, 2021
The MosesStaff hacking group has entered the ‘ransomware’ fray with a difference: blackmail payments are furthest from their minds. On November 15, Check Point Research (CPR) said the group began targeting organizations in Israel during September this year, joining campaigns launched by Pay2Key and BlackShadow. The focus of these operations was to deploy ransomware on their victim’s ...
- New Rowhammer technique bypasses existing DDR4 memory defenses
November 15, 2021
Researchers have developed a new fuzzing-based technique called ‘Blacksmith’ that revives Rowhammer vulnerability attacks against modern DRAM devices that bypasses existing mitigations. The emergence of this new Blacksmith method demonstrates that today’s DDR4 modules are vulnerable to exploitation, allowing a variety of attacks to be conducted. Rowhammer is a security exploit that relies on the leaking of ...