Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor’s malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
Read more…
Source: Mandiant/GTG
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Ransomware gang demands $7.5 million from Argentinian ISP
July 20, 2020
A ransomware gang has infected the internal network of Telecom Argentina, one of the country’s largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files. The incident took place over the weekend, on Saturday, July 18, and is considered one of Argentina’s biggest hacks. Sources inside the ISP said ...
- Emotet-TrickBot malware duo is back infecting Windows machines
July 20, 2020
After awakening last week and starting to send spam worldwide, Emotet is now once again installing the TrickBot trojan on infected Windows computers. On July 17th, 2020, after over five months of inactivity, the Emotet Trojan woke up and started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities. These spam emails ...
- Windows 10 Store ‘wsreset’ tool lets attackers bypass antivirus
July 20, 2020
A technique that exploits Windows 10 Microsoft Store called ‘wsreset.exe’ can delete bypass antivirus protection on a host without being detected. Wsreset.exe is a legitimate troubleshooting tool that lets users diagnose problems with the Windows Store and reset its cache. Pentester and researcher Daniel Gebert has discovered that wsreset.exe can be abused to delete arbitrary files. As wsreset.exe ...
- Twitter Hack Update: What We Know (and What We Don’t)
July 17, 2020
Earlier this week, Twitter locked down thousands of verified accounts, including the accounts of Joe Biden, Bill Gates, Elon Musk, Apple, Uber and others, after it became clear that hackers had been able to compromise them. The tip-off? Suddenly these high-profile accounts were all tweeting out identical links to a cryptocurrency scam. But what exactly happened? ...
- Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover
July 17, 2020
About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks. The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, ...
- Emotet spam trojan surges back to life after 5 months of silence
July 17, 2020
After months of inactivity, the notorious Emotet spamming trojan has come alive again as it spews out a massive campaign of malicious emails targeting users worldwide. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s ...