Cyberattacks against telecommunication service providers in the Middle East have been carried out with the use of new malware called HTTPSnoop and PipeSnoop, which allow cybercriminals to remotely control the devices infected with this malware.
They have also found a companion implant to HTTPSnoop, known as PipeSnoop, which is capable of accepting shellcode from a named pipe and executing it on the infected endpoint by sending it to an open socket. These findings confirm that the two implants belong to a new group of intrusions called 'ShroudedSnooper' that Cisco Talos has deemed highly likely to belong to its new set of intrusions.
According to a report by Cisco Talos, the two implants belong to the same intrusion set named 'ShroudedSnooper' but serve different operational goals in terms of the level of infiltration.
"The backdoor HTTPSnoop is a simple, yet effective backdoor built into the Windows operating system by using a novel technique that interfaces with the HTTP kernel drivers and devices to listen to incoming HTTP(S) requests and execute the content on an infected machine.
According to Cisco Talos in a report shared with The Hacker News, HTTPSnoop is a simple but effective backdoor.
It is also important to note that a sister implant, codenamed PipeSnoop, is also part of the threat actor's arsenal, as this implant is capable of accepting arbitrary shellcode from a named pipe and executing it on the infected machine.
To get an initial foothold into target environments, ShroudedSnooper is said to exploit internet-facing servers and use HTTPSnoop as its first step. Both malware strains are impersonating components of the Palo Alto Networks Cortex XDR application ("CyveraConsole.exe"), thereby evoking the credibility of Palo Alto Networks.
PipeSnoop
The Cisco Security Research Center first detected the PipeSnoop implant back in May 2023. This implant appears to act as a backdoor to Windows IPC (Inter-Process Communication) pipes, which are used to send shell codes to breached endpoints.
Unlike HTTPSnoop, which appears to target servers that are visible to the public, PipeSnoop appears more suitable for exploiting compromised networks deep within, as opposed to the public-facing servers that HTTPSnoop seems to target.
The Cisco engineers note that the implant requires a component that provides the shell code in order to function properly.
Despite this, the firm's analysts still haven't been able to pinpoint where the malware is located.
The telecommunications industry often becomes a target of state-sponsored threat actors as they run critical infrastructure within their networks and relay extremely sensitive information to a wide range of customers, as well as being targets of state-sponsored threats.
Due to the recent escalation of state-sponsored attacks against telecom entities, it is imperative that enhanced security measures are put in place as well as international cooperation in the fight against cyber-attacks.
Moreover, the researcher who published the post detailed that both HTTPSnoop and PipeSnoop were found masquerading as attributes of the application Cortex XDR from Palo Alto Networks in a post.
'CyveraConsole[dot]exe' is the executable that contains the Cortex XDR agent for Windows in the malware. That application is referred to as the malware executable, to give it its full name.
The researchers, who released Cortex XDR v7.8 on Aug. 7, 2022, stated that the product would be decommissioned on April 24, 2023, as soon as it became available for download.
The threat actors could, therefore, have operated this cluster of implants during the periods mentioned above, implying that they were used by them at the time.
It has been observed that there are three different kinds of HTTPSnoop variants available at the moment.
There is a method used by the malware in which it detects incoming requests matching predefined URL patterns, and then extracts the shellcode to execute on the user's computer by using low-level Windows APIs.
The HTTP URLs used in this attack are imitative of the ones used by Microsoft Exchange Web Services, OfficeTrack, and provisioning services linked to an Israeli telecommunications company and attempt to encode malicious traffic in such a way that it is nearly impossible to detect them.
"Several state-sponsored actors, as well as sophisticated adversaries, have been alleged to have been targeted telecommunications organizations around the world over the last couple of years. In 2022, Talos IR engagements consistently targeted this vertical as one of the top-targeted verticals in its investigation of telecommunications companies.
Typically, telecommunication companies are high-profile targets for adversaries who are looking for the chance to cause significant damage to critical infrastructure assets. They control a considerable number of critical infrastructure assets.
In many cases, these institutions are the backbone of national satellite, internet, and telephone networks, which are heavily relied upon by both the private and public sectors.
The authors noted that telecommunications companies can also act as a gateway for adversaries to gain access to other businesses, subscribers, or third-party providers, such as banks and credit card companies.
Moreover, Cisco Talos stated that Middle-Eastern Asian telecommunications companies are also frequently targeted by cybercriminals. The Clearsky cybersecurity firm disclosed in January 2021 that the "Lebanese Cedar" APT was targeting telecommunication companies in the U.S., the U.K., and the Middle East of Asia using web shells and RAT malware families, leveraging web shells and explosive malware.
It was also found that the MuddyWater APT targeting South Asian telecommunication companies, which used web shells to transfer script-based malware to an Exchange Server as well as dual-use tools to perform hands-on keyboard attacks, was a separate campaign Symantec mentioned.
Earlier this year, Cisco Talos researchers identified two vulnerabilities in WellinTech's KingHistorian ICS data manager which would lead to an attempt to exploit one of these vulnerabilities. Talos tested the software and confirmed that these vulnerabilities could be exploited by the well-known people behind WellinTech.
The ClearSky network discovered, in January 2021, that a set of attacks had been orchestrated by the Lebanese Cedar organization aimed at telecom operators in the United States, the United Kingdom, and Middle Eastern Asia. In December of the same year, Symantec, owned by Broadcom, disclosed that the MuddyWater (also known as Seedworm) threat actor was launching a spying campaign against telecom operators in the Middle East and Asia.
It has also been reported that other adversarial collectives have also been involved with attacks against telecommunication service providers in that region over the past year, such as BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium).