Telecom operators targeted in recent espionage hacking campaign

Researchers have spotted a new espionage hacking campaign targeting telecommunication and IT service providers in the Middle East and Asia.

The campaign has been conducted over the past six months, and there are tentative links to the Iranian-backed actor, MERCURY (aka MuddyWater, SeedWorm, or TEMP.Zagros).

The report comes from the Threat Hunter Team at Symantec, who has collected evidence and toolset samples from recent attacks in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.

Targeting Exchange servers

The attackers appear to be most interested in vulnerable Exchange Servers, which they use for web shell deployment.

After the initial breach, they steal account credentials and move laterally in the corporate network. In some cases, they use their foothold to pivot to other connected organizations.

Although the infection vector is unknown, Symantec was able to find a case of a ZIP file named "Special discount program.zip," which contained an installer for a remote desktop software application.

As such, the threat actors may be distributing spear-phishing emails to specific targets.

Tools and methods

The first sign of compromise by the threat actors is typically the creation of a Windows service to launch a Windows Script File (WSF) that performs reconnaissance on the network.

Next, PowerShell is used to download more WSFs, and Certutil is used to download tunneling tools and run WMI queries.

"Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools," explains Symantec's report.

"However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers."

Having established their presence on the target organization, the actors use the eHorus remote access tool, which enables them to do the following:

1. Deliver and run a (suspected) Local Security Authority Subsystem Service (LSASS) dumping tool.
2. Deliver (what are believed to be) Ligolo tunneling tools.
3. Execute Certutil to request a URL from Exchange Web Services (EWS) of (what appears to be) other targeted organizations.

To pivot to other telcos, the actors look for potential Exchange Web Services links and use the following commands for this purpose:

certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx
certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews

The full list with the toolset used by the particular actor is given below:

• ScreenConnect: Legitimate remote administration tool
• RemoteUtilities: Legitimate remote administration tool
• eHorus: Legitimate remote administration tool
• Ligolo: Reverse tunneling tool
• Hidec: Command line tool for running a hidden window
• Nping: Packet generation tool
• LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
• SharpChisel: Tunneling tool
• Password Dumper
• CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
• ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
• SOCKS5 proxy server: Tunneling tool
• Keylogger: Retrieves browser credentials
• Mimikatz: Publicly available credential dumping tool

Most of these tools are publicly available tools commonly used by offensive security teams, so they may not trigger alarms in organizations.

Links to MuddyWater

Even though the attribution isn't definitive, Symantec logged two IP addresses that overlap with infrastructure used in older MuddyWater attacks.

Moreover, the toolset features several similarities to March 2021 attacks reported by Trend Micro researchers.

Still, many Iranian state-supported actors use off-the-shelf tools and regularly switch infrastructure, and as such, no conclusive attribution can be made at this time.