Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- DarkHalo after SolarWinds: the Tomiris connection
September 29, 2021
In December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when FireEye ...
- Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw
September 28, 2021
A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild. Released on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle wvu), this one’s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. ...
- SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
September 28, 2021
The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims’ networks, researchers have found. Researchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD ...
- Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
September 27, 2021
It is widely known that with regard to cybersecurity, a user is often identified as the weakest link. This means that they become typical entry vectors for attacks and common social-engineering targets for hackers. Enterprises can also suffer from these individual weak links. Employees are sometimes unaware of online threats, or are unfamiliar with cybersecurity ...
- BloodyStealer and gaming assets for sale
September 27, 2021
Earlier this year, Kaspersky researchers covered the threats related to gaming, and looked at the changes from 2020 and the first half of 2021 in mobile and PC games as well as various phishing schemes that capitalize on video games. Many of the threats faced by gamers are associated with loss of personal data, and ...
- United Health Centers ransomware attack claimed by Vice Society
September 24, 2021
California-based United Health Centers suffered a ransomware attack that reportedly disrupted all of their locations and resulted in patient data theft. United Health Centers is a health care provider in California with twenty-one community health centers servicing Fresno, Kings, and Tulare counties. On August 31st, BleepingComputer was told by a source in the cybersecurity industry that United ...