The Turkish state-backed cyber espionage group tracked as Sea Turtle has been carrying out multiple spying campaigns in the Netherlands, focusing on telcos, media, internet service providers, and Kurdish websites.
Previously, Sea Turtle, also known as Teal Kurma and Cosmic Wolf, focused on the Middle Eastern region, as well as Sweden and the United States, using techniques like DNS hijacking and traffic redirection to perform man-in-the-middle attacks against government and non-government organizations, media, ISPs, and IT service providers.
The recent expansion to the Netherlands was observed by analysts at Hunt & Hackett, who report that Sea Turtle remains a threat group of moderate sophistication, primarily using known flaws and compromised accounts for initial access while failing to hide their activity trace effectively.
Hunt & Hackett says it has observed Sea Turtle activity in the Netherlands between 2021 and 2023, with new techniques and malware being introduced recently.
The attacks target specific organizations and appear to be focused on acquiring economic and political intelligence that aligns with the Turkish state's interests.
Initial access in the observed attacks is achieved by using compromised cPanel accounts to SSH onto the target infrastructure.
A new tool deployed in the recent Sea Turtle attacks is 'SnappyTCP,' an open-source reverse TCP shell for Linux that offers basic command and control capabilities.
The tool remains active on the system to serve as a persistent backdoor by using the 'NoHup' command, preventing its termination even when the threat actors have logged out.
The researchers also report seeing the installation of the Adminer database management tool in the public directory of one of the compromised cPanel accounts, giving them persistent data access and SQL command execution capabilities.
For evasion, Sea Turtle overwrites Linux system log files and unsets the command and MySQL history files to erase the trace of their presence and activities.
Hunt & Hackett have logged multiple cases of the threat actors connecting to the compromised cPanel accounts using a virtual private network tool.
Finally, when it comes to data exfiltration, the attackers created copies of email archives from compromised cPanel accounts and placed them in the public web directory of a website, making them available for downloading.
The SnappyTCP tool, like most reverse shells, can also be used for data exfiltration directly to the C2 server using TCP or HTTP connections.
Hunt & Hackett have seen no cases of post-compromise credential theft, lateral movement attempts, or data manipulation/wiping in these attacks.
Despite Sea Turtle's techniques being classified as moderately sophisticated, the group continues to pose a significant threat to organizations globally.
Recommendations for mitigating this threat include deploying strict network monitoring, enabling MFA on all critical accounts, and reducing SSH exposure to the minimum required systems.
Stealthy KV-botnet hijacks SOHO routers and VPN devices.
New AeroBlade hackers target aerospace sector in the U.S. Hackers use new Agent Raccoon malware to backdoor US targets.
Microsoft: Hackers target defense firms with new FalseFont malware.
Ukraine says it hacked Russian aviation agency, leaks data.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 08 Jan 2024 20:40:20 +0000