Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Turkish Sea Turtle APT targets Dutch IT and Telecom firms

Sea Turtle cyber espionage group targeted telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands. Researchers from Dutch security firm Hunt & Hackett observed Sea Turtle cyber espionage group (aka Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) targeting telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands. The […]

Bitwarden

Sea Turtle cyber espionage group targeted telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.

Researchers from Dutch security firm Hunt & Hackett observed Sea Turtle cyber espionage group (aka Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) targeting telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.

The researchers believe that the Turkey-linked APT Sea Turtle has been active since at least 2017. The Sea Turtle APT group focuses primarily on targeting organizations in Europe and the Middle East. Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns.

The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO, and Media & Entertainment sectors; 

Over the years, the group enhanced its evasion capabilities. In October 2021, Microsoft observed the group conducting intelligence gathering aligned with strategic Turkish interests.

In recent attacks, the researchers targeted the infrastructure of the targets with supply chain and island-hopping attacks. The threat actors gathered personal information on minority groups and potential political dissents.

“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.” reads the report published by Hunt & Hackett. “This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey”

The modus operandi of the group includes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government networks and other organizations. 

During one of the most recent campaigns in 2023, the APT group employed a reverse TCP shell named SnappyTCP to target Linux/Unix systems. 

Sea Turtle also used code from a publicly accessible GitHub account, which is likely under the control of the threat actor. The researchers also observed the cyber spies compromising cPanel accounts and using SSH to achieve initial access to the environment of a target’s organization.

Hunt & Hackett also observed the threat actor collecting at least one e-mail archive, of one of the multiple victim organizations. 

Below are the recommendations provided by the researchers to mitigate exposure to Sea Turtle attacks:

  • Deploy EDR and monitor systems for network connections executed processes, file creation/modification/deletion and account activity, and store logfiles in a central location. Ensure sufficient storage capacity for historic forensic investigation purposes. 
  • Create and enforce a password policy with adequate complexity requirements for specific accounts. 
  • Store passwords in a secrets management system, that can also be used by development environments. 
  • Limit logon attempts on accounts to reduce the chance of successful brute force attacks. 
  • Enable 2FA on all externally exposed accounts. 
  • Keep software up to date to reduce number of vulnerabilities in externally exposed systems. 
  • Reduce the number of systems that can be reached over internet using SSH. Where this is still necessary, it is recommended to implement an SSH-logon rate-limit. 
  • Implement egress network filtering to prevent malicious processes such as reverse shells to successfully sent network traffic to not-allowed IP-addresses. 

The report also includes Indicators of Compromise (Iocs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sea Turtle)