An expert team from the Cyberreason(CyberSecurity firm) has come across a new threat actors based out of china targeting the telecommunication sector in Southeast Asia via the three different clusters of attack.
Based on the experts analysis, the major objective of the attackers seems to maintain persistence in Telecommunication companies network for espionage activities to collect sensitive information such as Call Detail Record(CDR), Domain controllers, Exchange servers, etc.
Below picture depicts basic kill chain techniques used by the three cluster of attackers.
“The threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services. “ reads the blog post.
Experts also believe that 3 distint clusters have links between APT groups such as Soft Cell, Naikon, and Group 3390 which are suspected to operating on favor of Chinese government . Additionally, experts also observed the similarities on their TTPs between these clusters focused majorly on Telecommunication industries.
Cluster A: “It appears that the attackers gained initial access to the network by exploiting several vulnerabilities in Microsoft Exchange servers, including the recent set of vulnerabilities published by Microsoft in March 2021. It is noteworthy to mention that it appears the attackers had exploited the recent Microsoft Exchange vulnerabilities long before they became publicly known” reads the blog post.
Cluster B: During the initial investigation, the experts observed the usage of Nebulae backdoor which was previously attributed to Naikon group. Attackers were also observed to be using custom keylogger named “EnrollLoger” on high profile victims in the motive of harvesting their credentials.
Cluster C: Experts observed that the threat actors from cluster c are using the multiple instances of OWA instances for harvesting the credentials to access the telecommunication industries environment stealthily.
CyberWorkx news readers can find the IOC’s of this threat actor campaign from this link.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1