October 17, 2023 at 02:09AM
Between May and September 2023, at least 11 telecommunication service providers in Ukraine were targeted by threat actors. The attacks, carried out under the name UAC-0165, caused service interruptions for customers. The attackers used reconnaissance and exploitation techniques from previously compromised servers, employing specialized programs for credential theft and remote control. Regular VPN accounts without multi-factor authentication were used for unauthorized access. The attacks were accompanied by four phishing waves using the SmokeLoader malware.
Meeting Notes:
– The Computer Emergency Response Team of Ukraine (CERT-UA) reported that between May and September 2023, 11 telecommunication service providers in Ukraine were targeted by threat actors known as UAC-0165.
– The attacks led to service interruptions for customers of the affected providers.
– The initial phase of the attacks involved scanning the network of telecom companies to identify exposed RDP or SSH interfaces.
– Reconnaissance and exploitation activities were carried out from compromised servers located in the Ukrainian segment of the internet, with the attackers using proxy servers such as Dante and SOCKS5 to route traffic through these nodes.
– Two specialized programs called POEMGATE and POSEIDON were used in the attacks, enabling credential theft and remote control of infected hosts. A utility called WHITECAT was executed to clear the forensic trail.
– The attackers exploited regular VPN accounts without multi-factor authentication to gain persistent unauthorized access to the providers’ infrastructure.
– Mikrotik equipment and data storage systems were targeted for disabling after a successful breach.
– CERT-UA also observed four phishing waves in October 2023, carried out by a group known as UAC-0006, using the SmokeLoader malware.
– Legitimate compromised email addresses were used to send emails, and SmokeLoader was delivered to PCs through various methods.
– The goal of the phishing attacks was to target accountants’ computers and steal authentication data or manipulate financial documents in remote banking systems for unauthorized payments.
Stay updated by following us on Twitter and LinkedIn for more exclusive content.