Skip to main content

Telecom Networks again under Attack by GALLIUM Hacking Group

GALLIUM Hacking Group Attack Telecom Networks Using Publicly Available Hacking Tools & Exploiting Unpatched Vulnerabilities

Microsoft issued a warning about the new threat groups called GALLIUM that attack Telecommunication providers by exploiting the internet-facing services vulnerabilities in WildFly/JBoss.
Initially, Threat actors using publicly available exploits to attack the internet-facing services to gain persistence in the target network, later it using the common tools and techniques to steal the network credentials to move further deep into the network.
GALLIUM threat group activities observed between 2018 to mid-2019, and their activities are still being observed in wide, but activity levels have dropped when compared to the previous attacks.
GALLIUM groups are widely known as using publicly available tools, and malware with the small modification to attack the target, and they are not attempting to obfuscate their malware or tools.

Tools and Malware used by GALLIUM

Microsoft observed the following tools and malware are mainly used by the GALLIUM threat group.
ToolPurpose
HTRANConnection bouncer to proxy connections.
MimikatzCredential dumper.
NBTScanScanner for open NETBIOS nameservers on a local or remote TCP/IP network.
NetcatReads from and writes to network connections using TCP or UDP protocols.
PsExecExecutes a command line process on a remote machine.
Windows Credential Editor (WCE)Credential dumper.
WinRARArchiving utility.
MalwareNotes
BlackMouldNative IIS version of the China Chopper web shell.
China ChopperCommonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified)Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBanditGh0st RAT variant with modified configuration options and encryption.

Exploiting the Telecom Network

Threat actors initially locate and exploit the unpatched internet-facing services such as web servers and gain network access.
Attacking the web server and compromising to gain access doesn’t require user interaction and these kinds of access can be obtained by the traditional phishing attack.
To explore the network, Once the compromising the web servers, they install the Web Shell along with additional tools.
There are some other varieties of tools used to perform reconnaissance, and those tools are most of the off-the-shelf tools or modified versions of known security tools.
GALLIUM also using stolen code signing certificates to sign the tools, Microsoft observed that they are using credential dumping tool signed by a stolen certificate from Whizzimo, LLC
To move further into the network, they rely on compromised domain credentials, which can be obtained by the several credential harvesting tools.
Once they successfully gained access with the stolen credentials, attacker threat actors using PsExec to Executes a command line process on a remote machine.
According to Microsoft research, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.
Microsoft listed some for best defenses practices for the enterprise network that helps security operations teams to take the appropriate mitigation steps.

Indicators of Compromise

IndicatorType
asyspy256[.]ddns[.]netDomain
hotkillmail9sddcc[.]ddns[.]netDomain
rosaf112[.]ddns[.]netDomain
cvdfhjh1231[.]myftp[.]bizDomain
sz2016rose[.]ddns[.]netDomain
dffwescwer4325[.]myftp[.]bizDomain
cvdfhjh1231[.]ddns[.]netDomain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06ddSha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5bSha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8eSha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9cSha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddfSha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3efSha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070Sha256
TrojanDropper:Win32/BlackMould.A!dhaSignature Name
Trojan:Win32/BlackMould.B!dhaSignature Name
Trojan:Win32/QuarkBandit.A!dhaSignature Name
Trojan:Win32/Sidelod.A!dhaSignature Name

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...