New Telecom Firms Backdoors Discovered: In a concerning development, researchers have uncovered novel backdoors designed to maintain persistent access within the networks of Middle Eastern telecom companies.
These backdoors, named HTTPSnoop and PipeSnoop, have been disguised as components of Palo Alto Networks’ Cortex XDR security solution.
Key Takeaways to New Telecom Firms Backdoors Discovered:
Table of Contents
- Researchers have identified new backdoor implants, HTTPSnoop and PipeSnoop, strategically concealed within the infrastructure of telecom firms in the Middle East.
- HTTPSnoop employs low-level Windows APIs to interact with HTTP devices, decoding incoming data to execute malicious shellcodes.
- PipeSnoop operates differently, utilizing pre-existing Windows IPC pipes to run shellcode payloads on compromised endpoints, likely intended for high-priority targets.
Unveiling the Backdoor Implants: HTTPSnoop and PipeSnoop
HTTPSnoop: A Stealthy Infiltrator
HTTPSnoop is a deceptive backdoor that operates discreetly by utilizing low-level Windows APIs to directly engage with the HTTP device on the system.
This functionality allows it to bind to specific HTTP(S) URL patterns, where it patiently awaits incoming requests. Upon detection, the implant decodes the accompanying HTTP data, revealing a concealed shellcode that is subsequently executed on the compromised endpoint.
To maintain its covert nature, HTTPSnoop adopts URL patterns reminiscent of those employed by Microsoft’s Exchange Web Services (EWS) platform and OfficeCore’s OfficeTrack, a workforce management solution commonly utilized by telecoms.
PipeSnoop: Targeting High-Priority Endpoints
In contrast, PipeSnoop adopts a different strategy, capable of executing shellcode payloads on infected endpoints. It achieves this by reading from established Windows IPC pipes.
This suggests that PipeSnoop is likely intended for use within compromised enterprise environments, rather than public-facing servers like HTTPSnoop.
Its purpose may be to target endpoints deemed more valuable or high-priority by malicious operators.
Telecom Sector Vulnerabilities
The telecom sector is frequently targeted by various threat actors due to its potential as a conduit for attacks on individuals, businesses, and governments. Given its significant infrastructure role in supporting other businesses, telecom companies bear a great responsibility in mitigating such threats.
As Georgia Bafoutsou, Cybersecurity Officer at the European Union Agency for Cybersecurity (ENISA), emphasizes, the telecom sector often acts as a protective shield, intercepting and thwarting attacks before they reach other industries.
Conclusion
The discovery of these deceptive backdoor implants underscores the critical importance of robust cybersecurity measures within the telecom industry.
As a favored target of threat actors, telecom firms must remain vigilant and resilient in defending their networks against evolving threats.
About Palo Alto Networks:
Palo Alto Networks is a leading cybersecurity company that provides a wide range of security solutions to protect organizations from cyber threats. Cortex XDR is one of its advanced security offerings designed to detect and respond to threats across multiple platforms and environments.
