Telecommunication, media, internet services vendors (ISPs), information technology (IT)-service companies, and Kurdish web-sites in the Netherlands have been specific as part of a new cyber espionage marketing campaign undertaken by a Türkiye-nexus danger actor identified as Sea Turtle.
“The infrastructure of the targets was vulnerable to offer chain and island-hopping attacks, which the attack group employed to acquire politically inspired data this sort of as personal data on minority groups and opportunity political dissents,” Dutch security organization Hunt & Hackett said in a Friday examination.
“The stolen information is possible to be exploited for surveillance or intelligence accumulating on certain teams and or men and women.”
Sea Turtle, also recognised by the names Cosmic Wolf, Marbled Dust (previously Silicon), Teal Kurma, and UNC1326, was initial documented by Cisco Talos in April 2019, detailing state-sponsored attacks focusing on general public and private entities in the Center East and North Africa.
Functions affiliated with the team are considered to have been ongoing considering the fact that January 2017, generally leveraging DNS hijacking to redirect prospective targets trying to question a certain domain to an actor-managed server capable of harvesting their credentials.
“The Sea Turtle marketing campaign just about absolutely poses a additional significant menace than DNSpionage presented the actor’s methodology in concentrating on numerous DNS registrars and registries,” Talos reported at the time.
In late 2021, Microsoft pointed out that the adversary carries out intelligence collection to fulfill strategic Turkish pursuits from nations like Armenia, Cyprus, Greece, Iraq, and Syria, placing telecom and IT organizations with an aim to “create a foothold upstream of their preferred focus on” by means of exploitation of known vulnerabilities.
Then very last thirty day period, the adversary was disclosed to be making use of a easy reverse TCP shell for Linux (and Unix) methods called SnappyTCP in attacks carried out involving 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Risk Intelligence team.
“The web shell is a uncomplicated reverse TCP shell for Linux/Unix that has standard [command-and-control] abilities, and is also most likely employed for establishing persistence,” the corporation said. “There are at least two most important variants a person which works by using OpenSSL to create a safe connection above TLS, when the other omits this capability and sends requests in cleartext.”
The latest conclusions from Hunt & Hackett show that Sea Turtle carries on to be a stealthy espionage-centered team, carrying out defense evasion strategies to fly underneath the radar and harvest email archives.
In one of the attacks noticed in 2023, a compromised-but-legitimate cPanel account was utilized as an initial accessibility vector to deploy SnappyTCP on the system. It can be at this time not acknowledged how the attackers acquired the credentials.
“Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive established with the instrument tar, in the community web directory of the internet site that was accessible from the internet,” the company famous.
“It is hugely probable that the danger actor exfiltrated the email archive by downloading the file immediately from the web listing.”
To mitigate the pitfalls posed by these types of attacks, it’s advised that companies enforce potent password guidelines, carry out two-factor authentication (2FA), charge limit login attempts to lower the prospects of brute-pressure tries, watch SSH visitors, and hold all programs and software package up-to-day.
Uncovered this write-up exciting? Follow us on Twitter and LinkedIn to go through far more distinctive content material we submit.
Some areas of this report are sourced from: