The Microsoft Threat Intelligence Center (MSTIC) issued an alert on December 12 that telecommunications providers are facing a large-scale and sustained hacking operation that is being tracked by Microsoft to act as a threat organization for GALLIUM. An MSTIC analyst revealed that the group was conducting multiple simultaneous attacks from Southeast Asia, Europe and Africa, and that the hacking group used unpatched vulnerabilities to break the network-side disclosure system running the WildFly/JBoss application server.
GALLIUM’s penetration attack plan
According to the hacker group’s plan, the first step in an attack is through the penetration of a public network.
Once successful, the organization began collecting credentials using common tools and ttp (tactical, technical, and procedural) and replacing compromised domain credentials and PsExec telnet for barrier-free movement across the network through these tools.
In this attack, the hacker group did not use some means to try to confuse the perception of operators, they are more open to network systems to implant some functional common malware and expose some ordinary versions of the toolkit.
MSTIC analysts say the operator’s various businesses rely on low-cost execution, which is characterized by the fact that the exotic replacement infrastructure creates an environment for the entire system, which typically consists of dynamic DNS domains and regularly reused hop points.
Hacker organizations attack in a way that first penetrates the entire architecture system and then moves horizontally. They took advantage of these modified tools to circumvent some malware detection mechanisms in operations that require a secret approach.
The following table lists some of the tools that Microsoft has discovered that are used by GALLIUM:
GALLIUM relies on Web Shell (a command execution environment in the form of web files such as asasp, php, jsp, or cgi) for long-term active presence on the target network and ensures that malware is delivered effectively in the second phase.
An attacker could use this tool for a variety of purposes and tasks, including enumerating local drives, performing basic file operations, setting file properties, extracting and deleting files, and running malicious commands on infected devices.
In the second phase, the team deployed custom Gh0st RAT and Poison Ivy malware payloads to evade detection of their victim systems.
The following table shows a complete list of the second stage malware used in the attacks observed by GALLIUM:
Unlike most hacking methods, GALLIUM does not focus on developing malware with compromised security features.
By installing SoftEther on an internal system, they can connect to the system to tamper with tools already in the network for the purpose of circumventing malicious program detection, which paves the way for a formal attack.
Persistent advanced threats
In 2018, Cybereason Nocturnus, an Israeli cybersecurity firm, discovered an advanced ongoing attack against a global telecommunications provider that attacked attackers using common tools and techniques such as APT10.
The focus of this multipoint attack is to obtain data for specific high-value targets and ultimately to achieve a complete takeover of the network.
This attack by GALLIUM and some of the domains used by the above organizations are shared with Operation SoftCell, which means that tools including APT10, APT27, and APT40 could become part of the overall operation.