Source: heimdalsecurity.com – Author: Livia Gyongyoși
Sea Turtle Turkish state-backed group changed to focus on internet service providers (ISPs), telcos, media, and Kurdish websites.
Sea Turtle exploits known vulnerabilities and compromised accounts to gain initial access. DNS hijacking and traffic redirection that leads to man-in-the-middle attacks are among their cyber espionage techniques.
Their goal is to collect economic and political intelligence for Turkey.
How do the Sea Turtle attacks work
To gain initial access, the threat actors compromise cPanel accounts and use SSH to advance into the system.
The novelty is the group uses “SnappyTCP” for various purposes. The tool is an open-source reverse TCP shell for Linux systems. Its main uses in Sea Turtle`s cyber espionage campaigns are:
- Create a persistent backdoor
- Establish command-and-control (C2) capabilities for remote command execution
- Evasion techniques
- Data Exfiltration – Hackers use SnappyTCP to send data directly to their C2 server using TCP or HTTP connections.
The tool remains active on the system to serve as a persistent backdoor by using the ‘NoHup’ command, preventing its termination even when the threat actors have logged out.
Source – BleepingComputer.com
The researchers also found the Adminer database management tool installed in the public directory of one of the compromised cPanel accounts. This means hackers achieved persistent data access and were able to run SQL commands.
How to keep data safe from Sea Turtle hackers
Like most of the hackers, the Sea Turtle threat group too uses known, unpatched vulnerabilities to breach systems.
Besides setting an effective patch management process in place, you should also:
- Enforce network monitoring and network segmentation
- Use multi-factor authentication for privileged accounts
- Reduce SSH exposure
- Use DNS filtering to cut off any inbound or outbound malicious communication
- Enforce End-to-End encryption to protect sensitive data even if the hackers get access to the database
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/sea-turtle-dutch-isps/
Category & Tags: Cybersecurity News – Cybersecurity News
