Telecommunication, media, internet support companies (ISPs), information technology (IT)-support vendors, and Kurdish internet sites in the Netherlands have been qualified as part of a new cyber espionage marketing campaign undertaken by a Türkiye-nexus danger actor regarded as Sea Turtle.
“The infrastructure of the targets was susceptible to provide chain and island-hopping assaults, which the attack team made use of to acquire politically inspired details this sort of as particular info on minority groups and probable political dissents,” Dutch security agency Hunt & Hackett reported in a Friday investigation.
“The stolen data is possible to be exploited for surveillance or intelligence accumulating on particular groups and or persons.”
Sea Turtle, also identified by the names Cosmic Wolf, Marbled Dust (previously Silicon), Teal Kurma, and UNC1326, was very first documented by Cisco Talos in April 2019, detailing point out-sponsored attacks focusing on public and non-public entities in the Center East and North Africa.
Routines associated with the team are considered to have been ongoing since January 2017, mostly leveraging DNS hijacking to redirect potential targets making an attempt to query a distinct area to an actor-controlled server capable of harvesting their qualifications.
“The Sea Turtle marketing campaign nearly definitely poses a a lot more extreme threat than DNSpionage supplied the actor’s methodology in targeting many DNS registrars and registries,” Talos said at the time.
In late 2021, Microsoft mentioned that the adversary carries out intelligence selection to meet strategic Turkish pursuits from nations around the world like Armenia, Cyprus, Greece, Iraq, and Syria, putting telecom and IT organizations with an goal to “build a foothold upstream of their sought after concentrate on” by way of exploitation of acknowledged vulnerabilities.
Then previous month, the adversary was discovered to be applying a uncomplicated reverse TCP shell for Linux (and Unix) programs termed SnappyTCP in assaults carried out concerning 2021 and 2023, in accordance to the PricewaterhouseCoopers (PwC) Threat Intelligence staff.
“The web shell is a basic reverse TCP shell for Linux/Unix that has standard [command-and-control] abilities, and is also probably utilised for creating persistence,” the enterprise reported. “There are at the very least two most important variants just one which takes advantage of OpenSSL to create a protected connection about TLS, whilst the other omits this functionality and sends requests in cleartext.”
The newest conclusions from Hunt & Hackett show that Sea Turtle carries on to be a stealthy espionage-concentrated team, carrying out protection evasion procedures to fly below the radar and harvest email archives.
In one of the attacks observed in 2023, a compromised-but-reputable cPanel account was employed as an initial accessibility vector to deploy SnappyTCP on the system. It is really at this time not regarded how the attackers attained the credentials.
“Utilizing SnappyTCP, the threat actor despatched commands to the procedure to develop a copy of an email archive developed with the resource tar, in the public web listing of the internet site that was accessible from the internet,” the company pointed out.
“It is extremely probable that the risk actor exfiltrated the email archive by downloading the file immediately from the web directory.”
To mitigate the dangers posed by these types of attacks, it’s encouraged that organizations implement strong password procedures, apply two-aspect authentication (2FA), level limit login tries to cut down the chances of brute-drive tries, check SSH targeted traffic, and continue to keep all systems and software package up-to-date.
Uncovered this article attention-grabbing? Follow us on Twitter and LinkedIn to browse extra distinctive written content we write-up.
Some parts of this article are sourced from:
thehackernews.com