Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Telco. Show all posts
Tropic Trooper
cyber attack malware Salt Typhoon Telco Tropic Trooper

China Based Hackers Attack Telco With New Malware


A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America since 2024. Threat actor attacks Linux, Windows, and network-edge devices. 

Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.

According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.

New malware attacking telco networks

The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).

About TernDoor

TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).

The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.

Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.

About PeerTime

PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.

Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.

About BruteEntry

Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.

The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.

Read more »
User Security
attackers attacks Cyber Security Fine Hackers Network Server Security Sensitive data Technology Business Telco User Data User Privacy User Security

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.
Read more »
Subscribe to: Comments (Atom)