Jump to content
  • Telcom and BPO Companies Under Attack by SIM Swapping Hackers

    alf9872000

    • 557 views
    • 2 minutes
     Share


    • 557 views
    • 2 minutes

    A persistent intrusion campaign has set its eyes on telecommunications and business process outsourcing (BPO) companies at lease since June 2022.

     

    "The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity," CrowdStrike researcher Tim Parisi said in an analysis published last week.

     

    The financially motivated attacks have been attributed by the cybersecurity company to an actor tracked as Scattered Spider.

     

    Initial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.

     

    This technique is leveraged to direct victims to a credential harvesting site or trick them into installing commercial remote monitoring and management (RMM) tools like Zoho Assist and Getscreen.me.

     

    Should the target accounts be secured by two-factor authentication (2FA), the threat actor either convinced the victim into sharing the one-time password or employed a technique called prompt bombing, which was put to use in the recent breaches of Cisco and Uber.

     

    malware-attack.png
     

    In an alternative infection chain observed by CrowdStrike, a user's stolen credentials previously obtained through unknown means were used by the adversary to authenticate to the organization's Azure tenant.

     

    Another instance involved the exploitation of a critical remote code execution bug in ForgeRock OpenAM access management solution (CVE-2021-35464) that came under active exploitation last year.

     

    Many of the attacks also involved Scattered Spider gaining access to the compromised entity's multi-factor authentication (MFA) console to enroll their own devices for persistent remote access through legitimate remote access tools to avoid raising red flags.

     

    Initial access and persistence steps are followed by reconnaissance of Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS environments as well as conducting lateral movement, while also downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases.

     

    "These campaigns are extremely persistent and brazen," Parisi noted. "Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors."

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...