Posted on December 13, 2019 at 3:40 PM
Microsoft has revealed that a hacking group known as Gallium is using malware to target telecommunications companies. According to the technology giant, the malware group has been operational since last year, but its activities have become less severe in recent months. Microsoft said the group uses disposable and cheap tools to compromise a network.
It further says that this hacking group does not have any sort of cover to hide their activities. They infiltrate into a network without minding whether they would be noticed or caught.
However, Microsoft does not know whether they are using advanced threat techniques, but their recent raw and dirty tactics have been effective so far.
The hackers look for vulnerable web servers and other servers connected to the internet, such as JBoss. When they find their host, they make use of common hacking threats to infiltrate those networks. Microsoft reiterated that the attackers always look for compromised networks they can easily attack. When they find these servers or networks, they launch their attack with other traditional methods. Microsoft pointed out that these hackers do not use phishing. According to Microsoft’s Threat intelligence unit, Gallium installs web shells before using tooling to give them a venue to explore and infiltrate their targets.
The company noted that Gallium hacker does not really modify their malware tools to provide custom functionality. Rather, they modify these hardware tools in order to avoid being detected by anti-malware.
The malware group uses several tools such as WinRAR, Windows Credential Editor, PsExec, Netcat, NBTScan, Mimikata, and HTRAN. The Mimikatz tool is used to steal server credentials and data when the malware has infiltrated the company’s servers, Microsoft explained. The group has actually modified different versions of the tools and they have established these tools with stolen code signing certificates.
Also, the group is using the IIS shell BlackMoud, the web-shell China Chopper, QuarkBandt, as well as the Ivy remote access tool to access the vulnerable networks.
Yet again, Gallium is also using another tool known as SoftEther VPN, which allows the hackers to seize the network.
The activity of the group has declined recently
Microsoft also stated that the activities of the hacker have reduced considerably in recent months. The technology giant hopes that by revealing the activities of the group, it will help others to detect their activities on their network on time.
Similar attack reported back in April
Microsoft reported that a similar attack on vulnerable servers occurred earlier in April of the year. However, the company stated that Gallium was not responsible for that attack. The attack targeted a video decoder, a printer, and a VOIP phone.
Microsoft said the attack was used against a wide number of locations, with the devices as access points to those vulnerable servers. This time around, the attack was carried out by a Russian group known as Stronium. Microsoft says these hackers this time are working under the directives of the Russian government.
The activities of hackers getting more serious by the day
Microsoft said that last year alone, it gave about 1400 attack notifications. Of those attacks, about 20% of them are politically affiliated and non-governmental organizations. The remaining attacks concentrated on state sponsored companies that are focused on engineering, medicine, technology, and defense.
Microsoft is warning server owners to be at alert because the present attackers are not leaving anything behind in their quest to infiltrate the servers that are capable of.
The company reiterated that the attack has reduced drastically, but there is still some measure to take to avoid attacks in the future regarding the attack.