To obtain access to a variety of clients' systems and data in a single attack, hackers frequently target IT service providers.
Cybersecurity security researchers at Hunt & Hackett recently discovered that the Turkish espionage APT group Sea Turtle has been actively exploiting the known vulnerabilities to attack IT service providers.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
Sea Turtle APT group has been active since 2017 and is known for DNS hijacking; it adapts to evade detection.
Evading detection, Microsoft exposed SILICON in Oct 2021, aligning with Turkish interests.
For sensitive data, Sea Turtle targets the following areas:-.
Successful attacks aid surveillance and intelligence gathering.
Sea Turtle intercepts internet traffic using reverse shell for data extraction.
Researchers tracked the Sea Turtle's campaigns also in the Netherlands and discovered that they are primarily focused on the following two key things for Turkish interests:-.
Recent campaigns in the Netherlands target the following:-.
Sea Turtle employs supply chain attacks to collect politically motivated information.
Stolen data is likely used for surveillance or intelligence on specific groups.
In early 2023, Hunt & Hackett identified Sea Turtle's latest campaigns targeting multiple organizations.
In one attack, experts identified that the threat actor compromised a cPanel account and used a VPN for access.
They created a WebMail session and performed SSH logons from a hosting provider's IP. Source code files for a 'C' programming language reverse shell were downloaded and compiled from a known Sea Turtle GitHub repository.
The PwC independently linked this to Sea Turtle using the SnappyTCP reverse shell, and here, the SnappyTCP was downloaded from a Sea Turtle server.
The actor established a command-and-control channel, employed anti-forensic measures, and reconnected to the compromised cPanel account.
If specific conditions are met, the SnappyTCP malware does the following things:-.
Here below, we have mentioned all the recommendations provided by the cybersecurity analysts:-.
Try Kelltron's cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 10 Jan 2024 07:35:15 +0000