Not a SIMulation: Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies

Originally published by CrowdStrike.

CrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies and outlines how organizations can defend and secure their environments.

• CrowdStrike Services has performed multiple investigations into an intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies.
• The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity.
• Initial access is varied: Social engineering using phone calls and text messages to impersonate IT personnel, and either directing victims to a credential harvesting site or directing victims to run commercial remote monitoring and management (RMM) tools.
• These campaigns are extremely persistent and brazen. Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors.
• Organizations should focus on identity-based security through authentication restrictions and secure multifactor authentication (MFA) configurations to most effectively disrupt this campaign.
• CrowdStrike Intelligence has attributed this campaign with low confidence to the SCATTERED SPIDER eCrime adversary.

Since June 2022, CrowdStrike Services, CrowdStrike Falcon OverWatch™ and CrowdStrike Intelligence teams have observed an increase in the targeting of Telco and BPO industries. These investigations appear to be tied to a financially-motivated campaign with links to an adversary CrowdStrike tracks as SCATTERED SPIDER. This blog will discuss the ongoing campaign in greater detail, highlighting the various techniques used by the adversary to gain and maintain access, and evade detection and response, as well as what organizations should be aware of to best defend and respond to this campaign.

Background

In this attack campaign, the adversary demonstrates persistence in trying to gain access to victim environments and performs constant, and typically daily, activity within the target environment once access is gained. It is imperative for organizations to swiftly implement containment and mitigation actions if this adversary is in the environment. In multiple investigations, CrowdStrike observed the adversary become even more active, setting up additional persistence mechanisms, i.e. VPN access and/or multiple RMM tools, if mitigation measures are slowly implemented. And in multiple instances, the adversary reverted some of the mitigation measures by re-enabling accounts previously disabled by the victim organization.

Also of note, as CrowdStrike assisted one organization through the investigation and to a successful containment phase, the adversary moved onto other organizations in the same vertical. CrowdStrike was subsequently engaged to support the new victim organizations battling against the same campaign, as evidenced by overlapping indicators of compromise (IOCs) and techniques.

In all observed intrusions, the adversary attempted to leverage access to mobile carrier networks from a Telco or BPO environment, and in two investigations, SIM swapping was performed by the adversary.

Below is a summary timeline outlining a sampling of intrusions CrowdStrike Services responded to along with corresponding findings.

Figure 1. Sampling of relevant investigation summaries performed by CrowdStrike Services since June 2022 (click to enlarge)

Initial Access and Privilege Escalation

In most of the investigations CrowdStrike performed, initial access was achieved through social engineering, where the adversary leveraged phone calls, SMS and/or Telegram to impersonate IT staff. The adversary instructed victim users to either navigate to a credential-harvesting website containing the company logo and enter their credentials, or download a RMM tool that would allow the adversary to remotely connect and control their system. If MFA was enabled, the adversary would either engage the victim directly by convincing them to share their one-time password (OTP), or indirectly by leveraging MFA push-notification fatigue. This is when an adversary continuously prompts MFA to the victim user until they accept the MFA push challenge.

In another investigation, the adversary leveraged compromised credentials from a victim user and authenticated to the organization’s Azure tenant. Using this access, the adversary instantiated Azure VMs to conduct credential theft activity and lateral movement to on-premises systems.

In a third tactic observed in another investigation, the adversary leveraged CVE-2021-35464 to exploit a ForgeRock OpenAM application server, which front-ends web applications and remote access solutions in many organizations (a patch for this CVE was released in October 2021). In this example, the adversary showcased their knowledge of AWS. Leveraging AWS Instance Roles to assume or elevate privileges from the Apache Tomcat user, the adversary would request and assume permissions of an instance role using a compromised AWS token. As shown in Figure 2, the adversary used elevated privileges to execute the open-source LINpeas privilege escalation utility.

Figure 2. Adversary curl command leveraging an AWS Instance Role for privilege escalation, running the LinPEAS privilege escalation tool

Persistence and Remote Access Tactics

CrowdStrike incident responders observed that in many cases, the adversary gained access to the organization’s MFA console to add their own devices (as an additional device per user) as trusted MFA devices. The devices would be assigned to compromised users for whom they had captured credentials. This technique, performed by taking advantage of user self-enrollment policies with the MFA provider, allowed the adversary to maintain a deeper and less obvious level of persistence instead of simply installing a remote access trojan to maintain access.

In almost all investigations, the adversary used a wide variety of RMM tools to maintain persistent access such as the list below:

• AnyDesk
• BeAnywhere
• Domotz
• DWservice
• Fixme.it
• Fleetdeck.io
• Itarian Endpoint Manager
• Level.io
• Logmein
• ManageEngine
• N-Able
• Pulseway
• Rport
• Rsocx
• ScreenConnect
• SSH RevShell and RDP Tunnelling via SSH
• Teamviewer
• TrendMicro Basecamp
• Sorillus
• ZeroTier

Because these tools are not nefarious or malicious in nature, they do not typically generate alerts and are not typically blocked by endpoint detection and response (EDR) technology. However, the combination of Falcon EDR telemetry with human analysis from OverWatch and incident responders painted a clear picture of the adversary’s actions. During active hands-on-keyboard activity at most the intrusions CrowdStrike Services responded to, the adversary would often deploy multiple RMM tools and would quickly deploy another one if the organization blocked the previously used utilities.

Another tactic seen throughout multiple investigations is the adversary following a generic DESKTOP-<7 alphanumeric characters> naming pattern when using their own systems to connect to victim organization VPNs. And when creating systems in the victim organization’s virtual desktop infrastructure, the adversary followed a pattern mimicking the victim organization’s naming conventions.

The adversary has also targeted VMware ESXi hypervisors. In one investigation, the adversary installed the open-source rsocx reverse proxy tool and Level remote monitoring and management tool (RMM) on an ESXi appliance. In another investigation, the adversary executed the open-source port scanner tool RustScan from a Docker container running on an ESXi appliance. We have released the CrowdStrike Services ESXi Triage Collection and Containment Quick Reference Guide, which includes best practices to secure ESXi instances.

Throughout all investigations, the adversary used a variety of ISP and VPN providers to access victim Google Workspace environments, AzureAD and on-premises infrastructure. Many IP addresses originating from these ISPs were observed throughout the multiple investigations performed by CrowdStrike Services. Two of the most common ISPs CrowdStrike observed the adversary operating from were M247 and Digital Ocean. In each investigation, CrowdStrike leveraged Obsidian, a CrowdStrike Store partner, to implement custom ISP detections and restrictions in O365, AzureAD, Google Workspace and other software-as-a-service (SaaS) environments to quickly respond to, and further secure victim environments.

Reconnaissance and Lateral Movement

The adversary operates across Windows, Linux, Google Workspace, AzureAD, M365 and AWS environments. They have also accessed SharePoint and OneDrive environments for reconnaissance information, specifically searching for VPN information, MFA enrollment information, “how to” guides, help desk instructions and new hire guides.

In one investigation, the adversary accessed Azure Active Directory and performed bulk downloads of group members and users. By doing so, they were able to identify privileged users, along with the email addresses and AD attributes of all users within the victim tenant. Additional techniques employed by the adversary during this investigation included domain replication, lateral movement via Windows Management Instrumentation (WMI) using Impacket, SSH tunneling and various remote access tools.

In some investigations, the adversary downloaded tools using victim organization systems from sites such as file[.]io, GitHub, and paste[.]ee. The site transfer[.]sh was used by the adversary to perform data exfiltration of reconnaissance information.

In another investigation, an open source tool called aws_consoler was used by the adversary to create temporary federated credentials for non-existent users issued by identity and access management (IAM) users. Federated Credentials help obfuscate which AWS credential is compromised and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA.

Mitigations and Containment Measures

In all investigations performed by CrowdStrike incident responders, the faster the organization implemented swift and bold security measures, the faster the adversary activity ceased. These containment and mitigation measures focused on secure identity and MFA controls and configurations, as highlighted below.

Multifactor Authentication

• Implement MFA everywhere possible, especially for accounts that have access to third-party environments.
• Disable MFA simple push notifications in place of number-matching MFA where possible, or use One Time Passcodes with manual entry.
• Avoid unsupervised MFA self-enrollment or reset, and disallow any self-enrollment from external IP space.
• Allow only one trusted MFA device per user.
• Implement a global password reset and KRBTGT account reset twice per domain if compromise is suspected.

AWS Token Pivoting

• Ensure IMDSv2 is enabled on all EC2 instances to the extent possible (many products unfortunately still do not support v2).
• Enable GuardDuty in all active regions (GuardDuty has detections for abuse of EC2 instance credentials outside of an EC2 instance).
• Deprecate static IAM user access keys in favor of IAM roles where possible.

Azure

• Enforce Azure Conditional Access Policies (CAP):
  • Block legacy authentication
  • Restrict logon by geographic region
  • Enforce multifactor authentication for all users
  • Enforce compliant devices

Network Access Controls

• VPN host checking or other Network Access Control technology can limit the adversary’s ability to log in remotely from non-organizational hosts.

General Vigilance

• Ensure user accounts, especially those with access to sensitive company information and/or access to mobile carrier networks, are assigned Principle of Least Privilege policies within all identity management applications e.g., Active Directory, Group Policy Objects, Identity Access Management, etc.
• Due diligence should be performed by internal security teams to ensure company insiders remain at a minimal risk of purposely supporting the adversary.
• Be cognizant of endpoint security tool bypass attempts. In many of the investigations CrowdStrike performed, the adversary attempted to bypass AV or EDR security tools on the endpoints.

Indicators of Compromise (IOCs)

Many of the passwords, file names, ISPs and IOCs listed below have been observed across multiple investigations tracked in this campaign. Some of the passwords, file names and system-associated domains used by the adversary are inappropriate and xenophobic and have been omitted from this article.

Also of note is the campaign has used a minimal amount of command and control (C2) malware, and therefore there are few host-based IOCs. The theme of the tactics and techniques used has been identity-focused, where the adversary leverages compromised credentials to access SaaS applications, or perform remote access using the victim organization VPN or RMM tools to carry out their objectives.

While the IP addresses listed below were seen in use by the adversary, stand-alone indicator IPs are considered low-fidelity. CrowdStrike is sharing the list below to provide information that may lead to actionable queries for security teams, however hits on these IP addresses may not indicate true positives. As with implementing any network traffic restrictions, caution should be exercised if blocking any of the network-based IOCs.

Network-Based IOCs

Host-Based IOCs

Acknowledgements

CrowdStrike would like to thank all of the dedicated employees on the CrowdStrike Intelligence, Endpoint Recovery Services, Falcon OverWatch and Incident Response teams for supporting all of the investigations in this campaign, spending countless late nights, weekends and intense “firefights” detecting and mitigating active hands-on-keyboard activity.