Summary
Key Points:
- PhantomCore, a pro-Ukrainian hacktivist group, is exploiting vulnerabilities in TrueConf video conferencing software to breach Russian networks, utilizing a chain of three vulnerabilities for remote command execution.
- The attacks allow unauthorized access to internal networks, enabling lateral movement and deployment of malicious payloads, including web shells and backdoors. The group has been active since September 2025 and targets various sectors in Russia.
- Immediate actions include applying security patches released by TrueConf on August 27, 2025, monitoring for signs of compromise, and enhancing network defenses against lateral movement tactics.
Technical Details: PhantomCore exploits a chain of vulnerabilities in TrueConf servers that allow attackers to bypass authentication. The group has also been observed using phishing tactics to gain initial access through crafted ZIP or RAR files.
MITRE ATT&CK Techniques:
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1078 - Valid Accounts (Persistence)
- T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)
- T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
- T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
IOCs Mentioned: None mentioned
Join the discussion — sign up to comment, upvote, and save articles.