Microsoft has revealed new cyber threat activity by a group dubbed GALLIUM that targets global telecommunication providers and unpatched web servers.
The Microsoft Threat Intelligence Center (MSTIC) has observed GALLIUM activity targeting unpatched web servers with WildFly/JBoss vulnerabilities.
Microsoft described the attack in a recent blog post on Thursday:
“To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.”
Microsoft added that most of the GALLIUM activity had occurred throughout 2018 and into mid-2019. Although there is still some active attacks, activity has tapered off recently.
After researching GALLIUM’s profile and historical activity, Microsoft said it is likely the group uses open source research (such as public websites and social media outlets) and network scanning tools to identify likely targets in telecom industry.
Once the attackers compromise external-facing web servers, they will then install additional tools to pivot and move laterally with the victim’s network.
Microsoft has provided a sampling of some of the common tools used in GALLIUM attacks (along with purpose of each tool):
- HTRAN (Connection bouncer to proxy connections).
- Mimikatz (Credential dumper).
- NBTScan (Scanner for open NETBIOS nameservers on a local or remote TCP/IP network).
- Netcat (Reads from and writes to network connections using TCP or UDP protocols).
- PsExec (Executes a command line process on a remote machine).
- Windows Credential Editor (Credential dumper)
- WinRAR (Archiving utility).
Organizations are further encouraged to implement “active defenses to secure the broader ecosystem” from these types of cyber attacks. For instance, patching any and widely known vulnerabilities.
Readers can review the entire Microsoft blog post to get more details on the GALLIUM attacks.