ShroudedSnooper Threat Actors Target Telecom Companies in the Middle East

Cyber Security Threat Summary:
Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions. These organizations often serve as the backbone for national satellite, internet, and telephone networks, upon which both private and government services rely. Furthermore, telecom companies can serve as entry points for attackers to gain access to other businesses, subscribers, or third-party providers. One notable aspect of ShroudedSnooper's activities is their masquerade as a security component, particularly using the names "HTTPSnoop" and "PipeSnoop" to mimic components of Palo Alto Networks' Cortex XDR application. These malicious implants pretend to be part of Cortex XDR, using filenames like "CyveraConsole.exe" to appear legitimate. However, the versions of HTTPSnoop and PipeSnoop discovered had altered compile timestamps but mimicked Cortex XDR agent version, released in August 2022 and decommissioned in April 2023. The group used a couple tools to compromise networks:

  • HTTPSnoop - A backdoor that interacts with the HTTP device on the infected system using low-level Windows APIs. It binds to specific HTTP(S) URL patterns and listens for incoming requests, decoding accompanying data, which often contains shellcode executed on the compromised endpoint. HTTPSnoop variants include those listening for generic HTTP URLs, URLs resembling Microsoft's Exchange Web Services (EWS) API, and URLs related to OfficeCore's Location Based Services (LBS) and telephony applications.
  • PipeSnoop - A simple implant designed to execute arbitrary shellcode payloads on infected endpoints by reading from an Inter-Process Communication (IPC) pipe. Unlike HTTPSnoop, PipeSnoop doesn't initiate incoming connections but connects to pre-existing named pipes on the system. It is likely intended for use within compromised enterprise environments.
Security Officer Comments:
The motive behind these attacks is likely multifaceted. Telecommunications companies control critical infrastructure assets, making them high-priority targets for adversaries. These attacks can be driven by espionage, disruption of services, or gaining access to valuable information and networks, given the strategic importance of telecom entities in modern communication and connectivity. Additionally, state-sponsored actors and advanced adversaries may be involved in these attacks for geopolitical and economic reasons. Suggested Correction(s):
Multi-layered security, also known as defense-in-depth, is important because it provides a comprehensive approach to safeguarding computer systems, networks, and data from a wide range of threats and attacks like these. Link(s):