Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Conti Ransomware Gang: An Overview
June 18, 2021
Conti ransomware stands out as one of the most ruthless of the dozens of ransomware gangs that we follow. The group has spent more than a year attacking organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services and law enforcement agencies. Ireland has yet to recover from an attack ...
- Fake DarkSide Campaign Targets Energy and Food Sectors
June 18, 2021
The ransomware attack on the major fuel supply company Colonial Pipeline recently made headlines. The incident has been attributed to the DarkSide threat actor, once again thrusting the group’s name into the spotlight. With this, it would not be surprising to find threat actors taking advantage of this incident for their own socially-engineered campaigns. Several companies ...
- A deep dive into the operations of the LockBit ransomware group
June 18, 2021
Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates. Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, ...
- Carnival Cruise Cyber-Torpedoed by Cyberattack
June 18, 2021
Carnival Corp., the world’s largest cruise-ship operator, has sprung another leak: For the second time in a year, attackers have breached email accounts and accessed personal, financial and health information belonging to guests, employees and crew. Carnival has quite the armada: Its cruise brands include Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises ...
- Black Kingdom ransomware
June 17, 2021
Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065). The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. ...
- Kremlin spokesman lists top countries where cyber attacks originate
June 17, 2021
Kremlin Spokesman Dmitry Peskov has prepared a list of the top countries, where cyber attacks originate, at the request of Russian President Vladimir Putin, handing over this list to reporters. “In the first half of 2020, the leaders among all countries where all types of cyber attacks originated are: the US, Canada, Brazil, Mexico, the UK,” ...