{"uuid": "874c4b7c-9231-43b1-b52b-f83fed596797", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-5195", "type": "seen", "source": "https://t.me/SpiderCodeCommunity1/369", "content": "Title:\nCovert Espionage in Asia\u2019s Communication Networks\n\nHello and welcome, dear reader, to a new article \ud83d\ude01\n\nIn one of the most serious cyber espionage campaigns recently discovered, Palo Alto Networks \u2013 Unit 42 reported intense activity from an advanced threat group known as CL-STA-0969, which is believed to have targeted the critical telecommunications infrastructure of Southeast Asia over a span of ten months.\n\nIt is suspected that this operation was state-sponsored \ud83d\udd75\ud83c\udffb\n\n\n---\n\n\ud83e\udde0 So, what was their goal?\n\nTheir primary goal was to silently infiltrate and control telecom networks without detection \u2014 complete stealth.\n\nInvestigations revealed that the attacks occurred between February and November 2024, with the primary objective being Remote Code Execution (RCE) for data theft, without requiring user interaction.\n\n\n---\n\n\u26a0\ufe0f Wait \u2014 what is RCE?\n\nRCE (Remote Code Execution) is a cyberattack that allows an attacker to gain access to a system and execute commands remotely via a shell \u2014 one of the most dangerous forms of attack.\n\n\n---\n\n\ud83d\udd0d Example of the attack:\n\nThe attackers used a tool called Cordscan to gather intelligence about network devices.\nTo this day, no direct evidence has been found regarding their initial access point.\n\nThen, they performed brute-force attacks on SSH protocols, eventually gaining access and planting multiple malware payloads:\n\nAuthDoor: A malicious authentication module that steals credentials and allows persistent access using a \"magic password.\"\n\nCordscan: A network scanning and packet capturing tool.\n\nGTPDOOR: Specifically built for telecom networks near GPRS roaming exchanges.\n\nEchoBackdoor: A passive backdoor using ICMP packets for command execution and result delivery.\n\nSGSN Emulator (sgsnemu): Bypasses firewalls through network manipulation.\n\nChronosRAT: Malware capable of executing shellcode, capturing screenshots, keylogging, and more.\n\nNoDepDNS (MyDns): A Go-based backdoor that receives commands over DNS using UDP on port 53.\n\n\n\n---\n\n\ud83c\udfaf Targeted Threat Groups:\n\nThey also interacted with or mimicked operations of other known APTs:\n\nLightBasin (UNC1945): Targeting telecom since 2016.\n\nUNC2891: Financially motivated, known for ATM attacks.\n\nUNC3886: Exploited vulnerabilities in VMware systems.\n\n\n\n---\n\n\ud83e\uddf0 Tools Used:\n\nMicrosocks Proxy\n\nFRP (Fast Reverse Proxy)\n\nFScan\n\nResponder\n\nProxyChains\n\n\n\n---\n\n\ud83d\udd13 CVEs Exploited:\n\nCVE-2016-5195\n\nCVE-2021-4034\n\nCVE-2021-3156\n\n\n\n---\n\n\ud83d\udd75\ufe0f\u200d\u2642\ufe0f Stealth Techniques:\n\nDNS tunneling for traffic obfuscation\n\nUsing compromised telecom infrastructure as intermediate relays\n\nLog tampering and credential wiping\n\nDisabling SELinux\n\nRenaming malicious processes to appear legitimate\n\n\n\n---\n\n\ud83c\udf0d International Response \u2013 China & USA\n\nWhen asked on Fox News about alleged Chinese cyberattacks on U.S. telecom infrastructure and intellectual property theft, former U.S. President Donald Trump responded:\n\n> \u201cYou really think we don\u2019t do that too?\nWe do a lot of things like that... the world isn\u2019t simple.\u201d\n\n\n\nThis controversy coincided with statements from a Chinese tech team claiming China was the victim, after discovering a Zero-Day vulnerability in Microsoft Exchange.\n\nThey further alleged that over 50 devices belonging to a major Chinese military entity were compromised between July 2022 and July 2023.\n\nThe Chinese claimed the targets included universities, research institutes, and satellite internet companies.\n\nAccording to their reports, U.S. hackers exploited electronic file system vulnerabilities to compromise the targets between July and November 2024.\n\n\n---\n\nSource:\nThe Hacker News \u2013 CL-STA-0969 Campaign", "creation_timestamp": "2025-08-03T10:00:38.000000Z"}