SIM-swapping hackers target telecom and BPO companies trends that have been witnessed at least since June 2022.
Tim Parsisi, a researcher with CrowdStrike reported last week, “The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity.”
Scatter Spider, a financially motivated actor has been attributed to SIM-swapping attacks by the cybersecurity company.
According to reports, initial access to a target environment is most often accomplished using a variety of methods. For example, social engineering through phone calls or messages sent via Telegram impersonating IT personnel.
This technique is used to direct victims to a credential harvesting site or trick them into installing RMM software like Zoho Assist and Getscreen.me.
In the case of reinforced accounts with two-factor authentication (2FA), there are two possible attack strategies that might be employed. The first is to persuade the victim into sharing their one-time password, and the second strategy is prompt bombing, a method that has been used in recent breaches of Cisco and Uber.
In one of CrowdStrike’s recent incidents, the adversary used a user’s stolen credentials to get into the organization’s Azure account.
A recent instance of hacking involved the exploitation of a critical remote code execution bug in ForgeRock’s OpenAM access management solution (CVE-2021-35464) that came under active exploitation last year.
The attacks also involved Scattered Spider gaining access to the compromised entity’s MFA console to enroll their own devices for persistent remote access through legitimate remote access tools to avoid raising red flags.
A package that includes initial access and persistence steps, as well as reconnaissance of Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS environments. We also conduct lateral movement to download VPN and MFA enrollment data in select cases.
“These campaigns are extremely persistent,” Parisi stated. “Once the adversary is contained or operations disrupted, they immediately move to target other organizations within the telecom and BPO sectors.”
Dell, HP, and Lenovo Devices Using Outdated OpenSSL Versions
Iranian Hackers Released Footage of Jerusalem Attack from Security Cameras
Why Ducktail Malware Is A Bigger Threat Than Ever?