Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Security researcher discloses Safari bug after Apple delays patch
August 25, 2020
A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices. The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL. Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with ...
- Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
August 25, 2020
The Lazarus group is on the hunt for cryptocurrency once more and has now launched a targeted attack against a crypto organization by exploiting the human element of the corporate chain. On Tuesday, cybersecurity researchers from F-Secure said the cryptocurrency organization is one of the latest victims in a global campaign which has targeted businesses in ...
- Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites
August 25, 2020
It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee. These “leak sites” are part of a new trend forming on the cybercriminal underground where ransomware groups are adopting a new tactic called ...
- Brute-force cyberattacks on the rise in Brazil
August 24, 2020
Brazil has seen a spike in brute-force cyberattacks driven by the increase in remote working, according to a new report on security threats in the first six months of 2020. More than 2.6 billion attempts at cyber attacks have been recorded by cybersecurity firm Fortinet from January to June, out of a total of 15 billion ...
- Group of unskilled Iranian hackers behind recent attacks with Dharma ransomware
August 24, 2020
Cyber-security firm Group-IB says it identified a group of low-skilled hackers operating out of Iran that has been launching attacks against companies in Asia and attempting to encrypt their networks with a version of the Dharma ransomware. The attacks have targeted companies located in Russia, Japan, China, and India, according to a report Group-IB researchers published ...
- Lifting the veil on DeathStalker, a mercenary triumvirate
August 24, 2020
State-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative techniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these groups still aren’t likely to be a part of the risk model at most companies, nor should they be. Businesses today are faced with an array of much ...