October 1st – This Week’s Top Cybersecurity and Dark Web Stories

Iranian Threat Actor “Nimbus Manticore” Expands Operations Across Europe

Check Point Research has uncovered an ongoing and highly sophisticated cyber campaign linked to the Iranian threat actor known as Nimbus Manticore. Also tracked as UNC1549, Smoke Sandstorm, and associated with the so-called “Iranian Dream Job” operations, the group has intensified its focus on key European sectors.

The campaign is aimed at defense manufacturing, telecommunications, and aviation, industries that align closely with the strategic objectives of the Islamic Revolutionary Guard Corps (IRGC). Recent activity highlights a growing emphasis on Western Europe with particular attention to Denmark, Sweden, and Portugal.

Nimbus Manticore relies heavily on tailored spear-phishing campaign, often impersonating HR recruits. Victims are lured to fake career portals – each with unique URLs and login credentials – adding a layer of operational security and credibility. The fraudulent websites impersonate well-known brands, including Boeing, Airbus, Rheinmetall, and flydubai, and are typically hosted on domains registered behind Cloudflare to obscure infrastructure.

The technical infection chain begins with a malicious archive, disguised as legitimate hiring software. Once opened, it triggers an elaborate multi-stage DLL sideloading process. This technique abuses undocumented low-level APIs to manipulate the DLL search order, forcing legitimate processes to load malicious DLLs.

Nimbus Manticore’s operations reflect a well-resourced nation-state actor, emphasizing stealth, persistence, and operational security across every stage of the attack chain. The expansion into Europe, particularly targeting telecommunications, aerospace, defense, satellite, and airline sectors, underscores the IRGC’s long-term interest in intelligence gathering and strategic disruption.

Akira Ransomware Actors Bypass MFA in SonicWall VPN Attacks

The Akira ransomware gang is continuing to exploit SonicWall SSL VPN devices, with new evidence suggesting that attackers can log in even when one-time password (OTP) multi-factor authentication (MFA) is enabled.

Cybersecurity researchers warn that the tactic could be tied to previously stolen OTP seeds, though the exact method remains unconfirmed.

In July, reports surfaced that Akira affiliates were targeting SonicWall SSL VPN devices, sparking speculation of a new zero-day vulnerability. SonicWall later attributed the attacks to CVE-2024-40766, an improper access control flaw disclosed in September 2024 but patched the previous month.

While the patch closed the vulnerability, many organizations failed to reset VPN credentials. As a result, attackers have continued to use credentials stolen prior to patching, allowing them to maintain persistent access.

Additional research observed threat actors successfully authenticating into accounts despite OTP MFA being enabled. Log in attemps triggered multiple OTP challenges before access was granted, a strong indicator that attackers may have compromised OTP seeds or developed a method to generate valid tokens.

This mirrors activity reported by Google Threat Intelligence Group in July, which described a financially motivated group, tracked as UNC6148, using stolen OTP seeds to compromise SonicWall Secure Mobile Access (SMA) 100 appliances, even after security updates were applied.

Secret Service Dismantles Massive SIM Network Capable of Crippling NYC Telecoms

Federal agents have uncovered an illegal electronic device network in New York capable of jamming 911 calls and taking down cell towers just days before world leaders arrived in Manhattan for the UN General Assembly.

The discovery by the U.S. Secret Service, revealed more than 300 SIM servers and 100,000 SIM cards hidden across multiple sites within 35 miles of the United Nations headquarters.

“The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” said Secret Service Director Sean Curran.

Investigators say the setup could have launched a large-scale telecommunications attacks, including flooding networks with up to 30 million text messages per minute, potentially overwhelming critical systems. Officials have warned that such a capability could have had catastrophic consequences if triggered during a high-profile event like the UN summit.

Matt McCool, special agent in charge of the Secret Service’s New York field office said: “It can take down cell towers, so then no longer can people communicate. If you coupled that with some sort of other event associated with UNGA…it could be catastrphic to the city.”

While investigators have not linked the devices to an active plot, they are examining whether the operation has ties to a foreign government. Some experts believe espionage is likely.

The New York operation is part of a broader federal probe that began in the spring after telecom-related threats were made against senior US officials. Similar device caches have been found in California and the Midwest in recent weeks.

When agents raided the New York location, they found rows of servers and shelves stacked with SIM cards, including thousands already activated and many more awaiting deployment.

Officials emphasized there is no current threat to New York, but warned that the hidden network could have crippled communications on a scale not seen since the cellular blackouts after 9/11.