In this attack campaign, the adversary demonstrates persistence in trying to gain access to victim environments and performs constant, and typically daily, activity within the target environment once access is gained. It is imperative for organizations to swiftly implement containment and mitigation actions if this adversary is in the environment. In multiple investigations, CrowdStrike observed the adversary become even more active, setting up additional persistence mechanisms, i.e. VPN access and/or multiple RMM tools, if mitigation measures are slowly implemented.
REFERENCE: https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
TAGS: phishing, social engineering, mfa fatigue, credential harvesting, impersonation, mobile networks, remote access trojan, rmm tools, reverse proxy, vpn, sim swapping
INDUSTRIES: Telecom, Telecommunications
ATT&CK IDS: T1040 - Network Sniffing, T1036 - Masquerading, T1134 - Access Token Manipulation, T1566 - Phishing, T1090 - Proxy, T1190 - Exploit Public-Facing Application, T1219 - Remote Access Software, T1078 - Valid Accounts, T1046 - Network Service Scanning, T1593 - Search Open Websites/Domains, T1210 - Exploitation of Remote Services
Read More:
Comments