According to the findings disclosed by the Computer Emergency Response Team of Ukraine (CERT-UA), a number of threat actors were found to have engaged in disruptive activities targeting a minimum of 11 telecommunication service providers within the country’s borders during the period spanning from May to September of the year 2023.
The agency is monitoring the behavior referred to as UAC-0165, asserting that the intrusions have resulted in service disruptions for clients.
The initial stage of the attacks involves conducting a reconnaissance phase, wherein the network of a telecommunications business is examined to detect any vulnerable RDP or SSH interfaces and potential points of entry.
According to CERT-UA, it is important to acknowledge that reconnaissance and exploitation actions are conducted using servers that have been infiltrated beforehand, specifically within the Ukrainian portion of the internet.
In order to direct network traffic through these specific nodes, several proxy servers such as Dante and SOCKS5 are employed.
The attacks are noteworthy due to the utilization of two specialized software applications, POEMGATE and POSEIDON, which facilitate the unauthorized acquisition of credentials and remote manipulation of the compromised servers. To eliminate the forensic trail, the user executes a tool called WHITECAT.
Furthermore, the provider’s infrastructure is susceptible to continuous illegal access through the utilization of normal VPN accounts that lack multi-factor authentication safeguards.
After a successful breach, there are subsequent efforts made to render network and server equipment, particularly Mikrotik equipment, as well as data storage systems, inoperable.
The organization reported the occurrence of four instances of phishing attacks conducted by a hacking gang known as UAC-0006, utilizing the SmokeLoader malware, throughout the initial week of October 2023.
According to CERT-UA, emails are sent using authentic compromised email addresses, and the delivery of SmokeLoader to personal computers occurs through several means.
The primary objective of the attackers is to compromise the computers of accountants with the aim of illicitly acquiring authentication data, such as login credentials, passwords, and keys/certificates. Additionally, they seek to manipulate the information included inside financial documents in remote banking systems, thereby facilitating the illegitimate transfer of funds.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Article Here