The telecommunication and Business Process Outsourcing (BPO) industries are the new targets of a persistent intrusion campaign by SIM-swapping hackers.
Tim Parisi, a researcher at cybersecurity technology company CrowdStrike, said that the end objective of this hacking campaign is to gain access to mobile carrier networks and perform SIM-swapping activities.
The financially motivated attacks have been attributed by the cybersecurity company to an actor tracked as Scattered Spider. Initial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.
In an alternative infection chain observed by CrowdStrike, a user’s stolen credentials previously obtained through unknown means were used by the adversary to authenticate to the organization’s Azure tenant.
Another instance involved the exploitation of a now-patched critical remote code execution bug in ForgeRock OpenAM access management solution (CVE-2021-35464) that came under active exploitation last year.
Other attacks also entailed gaining access to the compromised entity’s multi-factor authentication (MFA) console to enroll their own devices and assign them to the users whose credentials had been previously captured.
This technique allowed Scattered Spider to establish a deeper level of persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control (formerly ScreenConnect) to avoid raising red flags.
“These campaigns are extremely persistent and brazen,” Parisi noted.
“Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors,” he added.