Everyone’s getting hacked except Mimikatz
Telecoms companies in the Middle East are increasingly being broken into by hackers, reports cyber-crime trade mag The Hacker. These are no amateurs, however. Once they have found a window, they are setting themselves up for long term exploitation, say researchers, who identified reconnaissance, stealing credential theft, lateral movement and data exfiltration activities. The findings come as other hacking groups, including BackdoorDiplomacy and WIP26, have targeted telecom service providers in the Middle East region.
“Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East,” according to a new technical report issued by researchers from security firms SentinelOne and QGroup. “These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.” The first quarter of this year has seen an alarming surge cyber attacks said the expose. The wave of break ins was attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell, which is based on tooling overlaps.
Operation Soft Cell, according to Cybereason, refers to malicious activities undertaken by China-affiliated actors targeting comms service providers since at least 2012. The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to use web shells used for command execution. The Soft Cell threat actor, also tracked by Microsoft as Gallium, is known to target unpatched internet-facing services and use tools like Mimikatz to obtain credentials that allows for lateral movement across the targeted networks.
The cyber criminals are thought to be professionals since they use a “hard-to-detect” backdoor codenamed PingPull (see picture) in its espionage attacks directed against companies operating in Southeast Asia, Europe, Africa and the Middle East. Central to the latest campaign is the exploitation of a custom variant of Mimikatz referred to as mim221, which packs in new anti-detection features.
“The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth,” said SentinelOne. This is a chilling reminder of the potency of state sponsored hacking with its formalised continuous maintenance and constant development of as espionage malware arsenal.
Prior research into Gallium suggests tactical similarities [PDF] with multiple Chinese nation-state groups such as APT10 (aka Bronze Riverside, Potassium, or Stone Panda), APT27 (aka Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Barium, Bronze Atlas, or Wicked Panda). “This once again points to signs of closed-source tool-sharing between Chinese state-sponsored threat actors, not to mention the possibility of a digital quartermaster responsible for maintaining and distributing the toolset,” said The Hacker.