Sea Turtle APT Group Exploiting Known Vulnerabilities to Attack IT-service Providers
To contrivance ranking entry to to a diversity of customers’ techniques and data in a single attack, hackers incessantly target IT provider providers.
Their procedure lets them maximize the conclude of their efforts by permitting them to compromise several organizations from a single point of entry.
Cybersecurity security researchers at Hunt & Hackett no longer too prolonged ago found that the Turkish espionage APT crew Sea Turtle has been actively exploiting the acknowledged vulnerabilities to attack IT provider providers.
Fastrack Compliance: The Path to ZERO-Vulnerability
Compounding the scenario are zero-day vulnerabilities esteem the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that ranking found every month. Delays in fixing these vulnerabilities lead to compliance disorders, these extend would possibly maybe additionally be minimized with a definite feature on AppTrana that permits you to ranking “Zero vulnerability tale” within 72 hours.
Sea Turtle APT Crew
Sea Turtle APT crew has been active since 2017 and is acknowledged for DNS hijacking; it adapts to evade detection.
Evading detection, Microsoft uncovered SILICON in Oct 2021, aligning with Turkish interests. Now now not easiest that, even in 2022, the Greek Nationwide CERT shared the IOCs.
For sensitive recordsdata, Sea Turtle targets the next areas:-
- Europe
- Center East
- North Africa
Right here below, we hold mentioned the final sectors and entities focused:-
- Gov’t our bodies
- Kurdish groups
- NGOs
- Telecom
- ISPs
- IT
- Media
A success attacks reduction surveillance and intelligence gathering. Sea Turtle intercepts web traffic the usage of reverse shell for recordsdata extraction.
Researchers tracked the Sea Turtle’s campaigns also in the Netherlands and positioned that they are basically excited about the next two key things for Turkish interests:-
- Financial espionage
- Political espionage
Recent campaigns in the Netherlands target the next:-
- Telecom
- Media
- ISPs
- Kurdish web sites
Sea Turtle employs provide chain attacks to get politically motivated recordsdata. Stolen recordsdata is most likely weak for surveillance or intelligence on explicit groups.
In early 2023, Hunt & Hackett identified Sea Turtle’s most recent campaigns concentrating on a pair of organizations. In a single attack, experts identified that the possibility actor compromised a cPanel account and weak a VPN for ranking entry to.
They created a WebMail session and executed SSH logons from a web based web hosting supplier’s IP. Supply code recordsdata for a ‘C’ programming language reverse shell were downloaded and compiled from a acknowledged Sea Turtle GitHub repository.
The PwC independently linked this to Sea Turtle the usage of the SnappyTCP reverse shell, and here, the SnappyTCP became downloaded from a Sea Turtle server (http[://]193.34.167[.]245/c00n/connn.c).
The actor established a present-and-administration channel, employed anti-forensic measures, and reconnected to the compromised cPanel account.
If explicit prerequisites are met, the SnappyTCP malware does the next things:-
- Reads a config file
- Performs an HTTP GET with ‘sy.php’ search recordsdata from URI
- Spawns a reverse shell
In the period in-between, the C&C channel most likely entails Socat, which works the traits found on the server.
Solutions
Right here below, we hold mentioned the final concepts supplied by the cybersecurity analysts:-
- Deploy EDR for monitoring community connections, processes, and account issue; retailer logs centrally.
- Implement a solid password policy.
- Frequently employ a secrets administration intention for storage.
- Restrict logon makes an strive.
- Enable 2FA on exterior accounts.
- Place machine as a lot as this point to carve vulnerabilities.
- Restrict SSH ranking entry to
- Implement SSH logon price restrict.
- Implement egress community filtering to block malicious traffic.
Source credit : cybersecuritynews.com