DailyPost 2557
TELECOM SERVICE PROVIDER’S BACKDOOR
In the cyber world there is backdoor to everything and wherever it is presumed to have none, the hacker’s collective will create one. At time on feels the world is at the mercy of hackers, that they can hack everything, but don’t end up doing it, for reasons best known to them. Might be because of that very faint chance of getting caught. After the International Criminal Court, now there is news that hackers backdoor telecom providers with new HTTPSnoop malware. Given the nature of role which telecoms play as most critical infrastructure, it was bound to happen.
It was not whether it will happen or not, but it was just one straight question, when? Now it has happened. A new malware named HTTPSnoop and PipeSnoop are being used in cyberattacks on telecommunications service providers in the middle east. This enabled the hackers to remotely execute commands on infected devices. Even the uninitiated in the field of cyber security would be able to fathom out the immense damage it can do. The setup is as good as totally exposed. What does the HTTPSnoop malware do?
“The HTTPSnoop malware interfaces with Windows HTTP kernel and devices to execute content on the infected endpoint based on specific HTTP(S) URLs.” Then PipeSnoop comes into action. This malware accepts and executes arbitrary shellcode from a named pipe. Both belong to the same intrusion set named ‘ShroudedSnooper’. The beauty of hack lies in the nature of evasion practiced. “Both the implants are masqueraded as security components of the Palo Alto Networks Cortex XDR product to evade detection.” Low level Windows APIs are used to monitor HTTP(S) traffic on an infected device for specific URLs. As per CISCO there are three variants of HTTPSnoop.
The three variants have been sampled between April 17 and April 29, 2023. It has been made known that the most recent one was having the least number of URLs it listens for. The logic behind it is claimed to be increased stealth. Given the nature of sophisticated hacks, the question again arises by telecommunications? Telecom service providers generally end up becoming targets of state-sponsored threat actors because to their role in running critical infrastructure. Behind any critical infrastructure today, we have a critical telecom infrastructure. This infra is a critical element in the information infra. These networks relay extremely critical information. The surge of attack telecom entities emphasizes the dire need for enhanced security measures. International collaboration can be a beginning with an intention to safeguard them.
WITH TELECOM SERVICE PROVIDERS UNDER SERIOUS CYBER RISK, EVERYTHING CRITICAL IS PUT TO IMMENSE RISK POSSIBLY OF THE WORST MAGNITUDE.
Sanjay Sahay
Have a nice evening.