Oh For Fuck’s Sake, The Chinese Have Your Dial Tone Again
Right, so some bastard Chinese state-sponsored hackers have been having a field day in telecom networks with a shiny new malware toolkit they’re calling DEEPDATA. Because apparently, my afternoon nap wasn’t ruined enough by some luser complaining about their VPN, now I’ve got to worry about APT41 shitting all over Internet Access Service servers.
These twats have developed three custom plugins specifically designed to raid IAS servers—the boxes that handle authentication and accounting. You know, the ones with THE KEYS TO THE FUCKING KINGDOM. They’ve weaponized DLL sideloading like it’s 2010, because why bother with zero-days when telecom admins are too busy updating their LinkedIn profiles to patch their shit?
The toolkit comes complete with “living-off-the-land techniques”—which is just fancy bullshit for “we’re using the tools already on your shitty network because you’re too incompetent to monitor them”—and a backdoor called DEEPPOST for exfiltrating data. They’ve been at this since mid-2023, which means some dipshit sysadmin has been ignoring alerts for nearly a year while these guys siphoned off credentials faster than I drain the office coffee pot.
The malware drops legitimate executables vulnerable to DLL sideloading alongside malicious DLLs, because apparently code signing and application whitelisting are just myths told to scare children, not actual security practices. And these IAS plugins? They harvest usernames, passwords, and session data like it’s a fucking harvesting festival.
So yeah, if you’re a telecom admin and you’re reading this instead of checking your IAS logs, congratulations—you’re probably already owned. Now get off your arse and audit your shit before I have to come down there and beat you to death with a damp ethernet cable.
You know, this reminds me of the time some marketing drone tried to tell me that “the cloud” would solve all our security problems. I spent three hours explaining that “the