25 June 2019

Chinese hackers hit 10 major global telcos in a large-scale cyber espionage campaign

Chinese hackers hit 10 major global telcos in a large-scale cyber espionage campaign

At least 10 major telecommunications companies operating all over the world have become victims of massive cyber espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. The campaign dubbed “Operation Softcell” has been uncovered by cybersecurity outfit Cybereason while investigating a breach of the network of a new telco customer. Based on the tools and TTPs (Tactics, Techniques, and Procedures) used in the attacks the security research firm believes that “Operation Softcell” is the work of Chinese hackers APT10 (or a threat actor that shares, or wishes to emulate its methods by using the same tools and techniques).

According to Cybereason’s extensive report, the hackers penetrated and for at least two years occupied the networks of about 10 cellular providers in Africa, Europe, the Middle East and Asia obtaining massive amounts of call records. including times and dates of calls, and their cell-based locations. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

The attackers had extracted over 100GB of data from the primary telco assessed, and were using their access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals from various countries.

“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory,” said the researchers. While the first attempt to compromise the target network was unsuccessful the hackers resumed their attacks 2 more times in the span of a 4 month period.

The initial indicator of the attack was a malicious web shell that was detected on an IIS (Internet Information Services) server, coming out of the w3wp.exe process. This web shell is a modified version of the China Chopper web shell, which previously has been seen in the attacks conducted by several hacking groups. In this particular campaign the China Chopper was used to run reconnaissance commands and steal credentials, using a range of tools. One of the reconnaissance commands was to run a modified nbtscan tool (“NetBIOS nameserver scanner”) to identify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in “Operation Cloud Hopper” to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information.

The next stage of the attack involved a modified version (maybemimi.exe.) of Mimikatz - a tool that dumps passwords from memory, as well as hashes, and PINs.

Another tool used included the RAT Poison Ivy. This used a DLL side-loading​ technique to stealthily load itself into memory, using a trusted and signed Samsung tool (RunHelp.exe). The RAT was used to maintain access across the compromised assets.

In later stages of the attack, the threat actor deployed two other custom-built web shells to launch reconnaissance commands, steal data, and download additional tools, including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran.

“Once the threat actor mapped the network and obtained credentials, they began to move laterally. They were able to compromise critical assets including production servers and database servers, and they even managed to gain full control of the Domain Controller. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets,” added the researchers.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019