Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- UK Research and Innovation (UKRI) suffers ransomware attack
January 30, 2021
The UK Research and Innovation (UKRI) is dealing with a ransomware incident that encrypted data and impacted two of its services, one offering information to subscribers and the platform for peer review of various parts of the agency. UKRI is a public body of the Government of the United Kingdom, tasked with investing in science and ...
- Chopper ASPX web shell used in targeted attack
January 29, 2021
Based on Trend Micro researchers investigation, the Chopper web shell is dropped via a system token, potentially via a Microsoft Exchange Server vulnerability. One notable vulnerability in the Microsoft Exchange Server is CVE-2020-0688, a remote code execution bug. Microsoft issued a patch for this vulnerability in February 2020. However, the malicious actors behind this attack ...
- Fonix ransomware shuts down and releases master decryption key
January 29, 2021
The Fonix Ransomware operators have shut down their operation and released the master decryption allowing victims to recover their files for free. Fonix Ransomware, also known as Xinof and FonixCrypter, began operating in June 2020 and has been steadily encrypting victims since. The ransomware operation was not as widely active as others, such as REvil, Netwalker, ...
- Post Office Phishing Hits Credit Card Users in 26 Countries
January 28, 2021
Phishing remains a popular and effective tactic that malicious actors continue to deploy against internet users. The current retail climate brought about by the global health crisis has only worsened the problem. Many countries across the globe have seen a surge in online shopping, and malicious actors are quick to deploy campaigns that take advantage ...
- Hezbollah’s cyber unit hacked into telecoms and ISPs
January 28, 2021
A Hezbollah-affiliated threat actor known as Lebanese Cedar has been linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE. The year-long hacking campaign started in early 2020 and was discovered by Israeli cyber-security firm Clearsky. In a report published ...
- Pro-Ocean: Rocke Group’s New Cryptojacking Malware
January 28, 2021
In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. Since then, cybersecurity companies have had the malware on their radar, which hampered Rocke Group’s cryptojacking operation. In response, the threat actors updated the malware. Here, we uncover a revised version of the same cloud-targeted ...