top of page

Threat Intelligence Update 15 - 21 November 2024 TLP: CLEAR

Updated: Nov 29







This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.


For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.com



Contents






Executive Summary


Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms

Salt Typhoon, a Chinese state-sponsored actor, has targeted U.S. and Asian telecoms, including T-Mobile, AT&T, and Singtel, using advanced methods to access sensitive data like call logs and government communications.


This campaign aligns with China’s geopolitical objectives, establishing persistence for future operations, raising alarms about vulnerabilities in critical infrastructure.


New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems


 


Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms




The China-linked threat actor Salt Typhoon (aka UNC2286 and Ghost Emperor), has been conducting a widespread cyberespionage campaign targeting major telecommunications companies in the United States and Asia. Among the affected entities are T-Mobile, AT&T, Verizon, Lumen Technologies, and Singapore-based Singtel.

Elemendar CTI Analyst comment: Salt Typhoon is a Chinese state-sponsored threat actor, linked to the Ministry of State Security (MSS), which has been conducting cyberespionage activity since 2020. Salt Typhoon targets critical infrastructure, especially telecommunications networks, to gather intelligence, gain persistence for future operations and map vulnerabilities. Other Chinese-linked threat actors such as Volt Typhoon, have previously compromised IT environments across U.S. critical infrastructure sectors, including Communications, Energy, and Transportation, with activity extending to Guam. Volt Typhoon pre-positions malware within IT networks to enable lateral movement to operational technology (OT) systems for use in future operations. Comment Ends.

This marks the ninth breach for T-Mobile since 2019, affecting millions of customers. Other major U.S. telecom providers, including AT&T and Verizon, also reported breaches linked to Salt Typhoon, with some networks suffering data exfiltration and surveillance of private communications.


T-Mobile has confirmed the attack, but denied any breach of customer data or disruption to their services. Similarly, Singtel confirmed it was breached but claimed no customer data was exfiltrated.


Salt Typhoon exploited vulnerabilities in Cisco Systems routers and other network devices to breach telecom networks, reportedly leveraging advanced technologies like artificial intelligence (AI) and machine learning. Some networks were compromised for over eight months, allowing persistent access to sensitive data such as:

  • Call logs

  • Unencrypted text messages

  • Audio from targeted communications

  • Private communications of senior U.S. government and political officials

The campaign also involved the compromise of a U.S. court wiretap network, giving threat actors access to information subject to legal requests.


The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have labelled this campaign a significant threat to U.S. critical infrastructure. The attack compromised private communications and sensitive data tied to national security, raising alarms about the vulnerabilities in global telecommunications. Investigators suggest that these breaches are part of a larger Chinese state-sponsored effort to disrupt and exploit critical systems.


Elemendar Intelligence Assessment: Salt Typhoon’s breaches appear to be part of a broader effort to collect intelligence on high-value targets, potentially aiding future operations. Their focus on sensitive systems, such as wiretap networks and government communications, aligns with China’s strategic objectives to enhance its geopolitical, military, and economic positioning globally.


Similar to Volt Typhoon, Salt Typhoon is highly likely to have gained access to these networks to establish persistence with a view to deny communications in the future or understand how communication networks function. In line with these objectives, further attacks on critical infrastructure is almost certain. Assessment Ends.


 

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems



Helldown, a new ransomware group, has been identified as a growing threat targeting critical infrastructure and businesses worldwide.


Elemendar CTI Analyst comment: First documented in August 2024, Helldown operates aggressively, employing double extortion tactics to exfiltrate sensitive data and threaten public leaks to pressure victims into paying ransoms. To date, the ransomware group has claimed 31 victims across sectors such as IT services, telecommunications, manufacturing, and healthcare, with most targets located in the United States and Europe. Comment Ends.

Helldown primarily exploits vulnerabilities in Zyxel firewalls to gain initial access to victims’ systems. Cybersecurity firms Truesec and Sekoia have confirmed that the group leverages both known and undocumented vulnerabilities in Zyxel devices, creating SSL VPN tunnels and stealing credentials to establish a foothold. Following this, Helldown employs typical ransomware tactics, including persistence, credential harvesting, lateral movement, and defence evasion, ultimately deploying ransomware to encrypt systems and exfiltrate data.


The Windows version of Helldown ransomware performs various pre-encryption activities, such as deleting shadow copies, terminating processes related to databases and Microsoft Office, and removing traces of its activity before shutting down infected machines. Its Linux counterpart, aimed at VMware ESX servers, focuses on listing and terminating active virtual machines (VMs) before encrypting their data. However, the Linux variant lacks sophistication, such as obfuscation or anti-debugging mechanisms, suggesting it is still under development.


Fig.2: Helldown ransom note from xml configuration (source: Sekoia)


Elemendar CTI Analyst comment: Helldown’s behaviour shares notable similarities with Darkrace and Donex, both variants of LockBit 3.0.. Darkrace emerged in 2023 and later rebranded to Donex, with both operations ceasing after a public decryptor was released in 2024. While Helldown appears to have inherited behavioural traits and configuration similarities from these groups, a definitive connection remains unconfirmed. Comment Ends.


Helldown has expanded its capabilities, targeting virtualised environments and VMware infrastructure, indicating an evolution in its attack strategy. By terminating VMs, the group gains write access to image files, although this functionality has not yet been fully activated in its ransomware code. The lack of advanced features in its Linux variant further suggests that the group’s operational maturity is still developing.


Helldown’s targets include both small and medium-sized enterprises and larger organisations, such as Zyxel Europe, a subsidiary providing network and cybersecurity solutions. The group exfiltrates significant volumes of data, averaging 70GB per victim, often focusing on administrative files like PDFs and scanned documents. Its indiscriminate data collection contrasts with the more selective approach of other ransomware groups, possibly reflecting a strategy to maximise pressure on victims.

Elemendar Intelligence Assessment: Helldown represents an active and evolving intrusion set, with its success relying on exploiting unpatched vulnerabilities, leveraging established ransomware techniques. While Helldown’s ransomware lacks sophistication, its ability to compromise targets is proven.


By primarily targeting small to medium size businesses, the Helldown group are highly likely to be operationally testing their malware against targets who are likely to have less robust security solutions in place. From this operational testing, the group are then almost certain to modify and improve on the malware before moving onto larger, more profitable targets. Therefore, in time, as the group continues to develop and refine its toolset, Helldown is likely to become a critical threat within the ransomware landscape representing a threat to all verticals. Assessment Ends.


 



Annex A: References



Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms



https://informationsecuritybuzz.com/ransomware-attacks-on-healthcare-secto/



https://www.pymnts.com/cybersecurity/2024/t-mobile-network-reportedly-breached-in-chinese-hacking-campaign/



https://securitybrief.co.nz/story/cyber-espionage-group-volt-typhoon-resurfaces-globally



https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a


New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems



https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html



 


Annex B: STIX Entities


Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms



Mitre ATT&CK TTPs / Attack Procedures


ID

Name

Tactic 

Procedure

Description

Logs

T1190

Exploit Public-Facing Application

Initial Access

Exploitation of Vulnerable Web Applications

Adversaries exploit vulnerabilities in public-facing applications to gain initial access to a network.

Web server logs: Look for exploit attempts or unexpected parameter injection in HTTP requests.

T1562.011

Spoof Security Alerting

Defence Evasion

Manipulation of Security Alerts

Adversaries spoof or disable security alerts to avoid detection and mislead defenders.

Security tool logs: Unusual changes to alerting configurations or suppression of alerts.

T1584.008

Network Devices

Resource Development

Targeting Network Devices for Attack Infrastructure

Adversaries leverage compromised network devices as infrastructure for further attacks.

Network device logs: Look for unauthorised changes, new configurations, or unusual traffic patterns.


New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems



Mitre ATT&CK TTPs / Attack Procedures



ID

Name

Tactic 

Procedure

Description

Logs

T1203

Exploitation for Client Execution

Execution

Client-Side Exploitation

Exploiting vulnerabilities in client applications to execute arbitrary code.

Application logs: Unexpected crashes or exploit attempts.

T1584.008

Network Devices

Resource Development

Compromising Network Devices

Leveraging network devices for attack infrastructure.

Network device logs: Unauthorised changes or unusual traffic.

T1211

Exploitation for Defence Evasion

Defence Evasion

Bypassing Defences via Exploits

Exploiting vulnerabilities to evade detection mechanisms.

Security logs: Detection of exploit activity targeting defensive software.

T1588.006

Vulnerabilities

Resource Development

Acquiring Exploits

Obtaining vulnerabilities or exploits for use in operations.

Threat intel logs: Indicators of exploit acquisition on dark web or other platforms.

T1132

Data Encoding

Command and Control

Encoding Data for Transmission

Encoding command-and-control communications to avoid detection.

Network logs: Base64-encoded traffic or other encoding patterns.

T1556.001

Domain Controller Authentication

Credential Access

Kerberos Ticket Requests

Forging or stealing tickets to access domain resources.

Authentication logs: Unusual Kerberos ticket usage or mismatched account activities.

T1562.007

Disable or Modify Cloud Firewall

Defence Evasion

Cloud Firewall Modification

Disabling or changing cloud firewall settings to allow malicious traffic.

Cloud provider logs: Changes to firewall rules or access configurations.

T1135

Network Share Discovery

Discovery

Identifying Network Shares

Scanning and listing shared directories on a network.

File access logs: Access to network shares by unauthorised users.

T1037

Boot or Logon Initialization Scripts

Persistence

Modification of Startup Scripts

Altering scripts executed during boot or logon to maintain persistence.

File change logs: Modifications to startup scripts such as logon.bat.

T1048.001

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration

Encrypted Data Exfiltration

Exfiltrating data over symmetric encrypted protocols.

Network traffic logs: Suspicious encrypted outbound connections.

T1600

Weaken Encryption

Defence Evasion

Use of Weak Encryption Algorithms

Using or forcing weak encryption methods to facilitate data compromise.

Encryption logs: Usage of outdated or insecure algorithms.

T1059.003

Windows Command Shell

Execution

Command Execution via Shell

Executing commands using the Windows Command Shell.

Command-line logs: Commands executed via cmd.exe.

T1055.012

Process Hollowing

Defence Evasion

Injecting Code into Processes

Hiding malicious code within legitimate processes via hollowing.

Process injection logs: Anomalous memory allocations or threads.

T1529

System Shutdown/Reboot

Impact

Forcing System Reboots

Rebooting or shutting down systems to disrupt operations or remove forensic evidence.

Event logs: System shutdown or restart events triggered by unauthorised users.

T1036.006

Space after Filename

Defence Evasion

Filename Obfuscation

Adding spaces after filenames to confuse detection systems.

File access logs: Files with unexpected trailing spaces.

T1548.006

TCC Manipulation

Privilege Escalation

Abuse of Transparency, Consent, and Control

Exploiting macOS TCC to bypass security controls.

macOS logs: Unexpected access to protected resources.

T1573.002

Asymmetric Cryptography

Command and Control

Encrypted C2 with Public Key Encryption

Using asymmetric cryptography to encrypt command-and-control communications.

Network logs: Encrypted traffic using asymmetric algorithms.

T1573

Encrypted Channel

Command and Control

Secure C2 Communications

Encrypting command-and-control channels to evade detection.

Network logs: Detection of encrypted traffic from unexpected sources.





IOC’s

Type

Value

sha256

0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab

sha256

7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7

sha256

7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872

sha256

3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e

sha256

2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1

sha256

47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19

sha256

cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea

sha256

67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733

sha256

2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0

sha256

6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd

sha256

9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c

sha256

ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe


 

Probability Language


This document uses probability language based on assessment. Further information can be found in the image below: 



Feedback


We welcome your feedback, this ensures we meet your needs.

Please contact our CTI Director at : CTI@elemendar.ai

Acknowledgements

Authored by Paul Montgomery, CTI Director Elemendar




Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page