A high-level cyberespionage campaign targeting telecommunications in Southwest Asia has been uncovered by Palo Alto Networks’ Unit 42, showcasing sophisticated tools and tactics used by a nation-state actor. The campaign’s focus appears to be on tracking mobile users and exploiting outdated systems, highlighting the ongoing threat to critical infrastructure. #LiminalPanda #GTPDoor
Keypoints
- The campaign, active from February to November 2024, involves advanced stealth techniques and custom malware tools.
- Threat actors used brute-force, DNS, and SSH tunneling, along with log tampering and process masquerading, to maintain access.
- Exploit vulnerabilities like CVE-2016-5195 and CVE-2021-4034 were used to escalate privileges on outdated Linux kernels.
- Tools such as AuthDoor, GTPDoor, ChronosRAT, and NoDepDNS enable persistent access, communication, and data exfiltration evasion.
- The campaign’s objectives likely include tracking mobile users and deep network manipulation within telecom infrastructure.