The telecommunications sector has been taking quite a blow lately from cybercriminals. Crowdstrike analyzed an extremely persistent intrusion campaign against telcos and BPO firms. Moreover, the threat actors are really sneaky in this campaign.
Diving into details
The attacks started in June and have multiple initial access vectors.
The ultimate goal of the cybercriminal group is to gain access to mobile carrier networks and conduct SIM swapping.
The hackers’ techniques for SIM swapping include social engineering via texts and calls to masquerade as IT personnel.
The activity misleads victims to a credential harvesting site or directing to run commercial RMM tools.
Who’s behind the attack
This financially-motivated campaign has been loosely linked to the Scattered Spider group that has been observed maintaining persistence, reversing defense mitigation, avoiding detection, and moving to other targets as soon as corporate operations are disrupted.
Why this matters
After gaining system access, Scattered Spider actors add their own devices to the list of trusted MFA devices by leveraging the compromised user account.
The threat actors use Anydesk, Teamviewer, ScreenConnect, and other RMM tools found usually on corporate networks. This ensures that the malicious activity doesn’t generate alerts on security software.
In all the attacks, the group used a multitude of ISP and VPN providers to gain access to Google Workspace environments, on-premise infrastructure, and AzureAD.
When the breach is detected
The adversary maintains persistence in a breached network and becomes more active in setting up additional persistence mechanisms after detection.
They, in several cases, reversed some defense mitigations by reenabling accounts previously disabled by the victims.
The bottom line
Crowdstrike recommends implementing MFA challenges for privileged account authentication, detecting vulnerable and compromised devices and credentials via custom rules and queries, and enforcing real-time threat intelligence alerts for compromised credential identification. The threat actor is pretty sophisticated and has been using a myriad of tools and techniques to evade detection and maintain persistence.