GALLIUM: According to Microsoft’s Threat Intelligence Center, the threat group known as GALLIUM has recently been targeting the telecom industry. Microsoft has already been warning their clients about the group when they notice an attack but wanted to raise awareness for the group overall throughout the security industry. The group is exploiting unpatched vulnerabilities in internet-facing servers and is primarily utilizing the WildFly/JBoss vulnerability. Once persistence is established, the group uses common techniques and tools to move around the network. The group uses custom malware once they are in a network, as well as publicly available toolkits. GALLIUM modifies the malware and toolkits they are using in their attacks, customizing them and making them harder for anti-virus to detect. The group relies on a low-cost methodology to carry out their attacks and regularly re-uses hop points—this provides an opportunity for defenders to detect malicious network traffic by sharing network indications of compromise (IOCs) from known intrusion activity.
GALLIUM was first seen in 2012 and has made a return in the last two years, targeting the telecom industry throughout 2018-2019. The group has slowed down its activity since the start of this campaign but has not fully halted its operation. Microsoft is sharing this information for the security industry as a whole to better protect themselves from this campaign. The Microsoft report includes details about GALLIUM’s post-exploitation tools, including a scanner that looks for open NETBIOS name servers, and a tool that steals credentials from memory—both of these attacker techniques present opportunities for defenders to implement active defenses that deceive attackers and generate high-fidelity alarms when attackers use these techniques. Binary Defense is committed to continuing to implement active defense techniques in our endpoint detection and response software including using the research conducted by well-known industry professionals such as the aforementioned research, plus research that is carried out in-house to provide protection against the entire threat landscape. Microsoft’s report and GALLIUM IOC’s can be found at https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/