In a blog post, Microsoft explains how Gallium is not concerned about hiding its tracks and its brazen in its attacks. For example, the group leverages cheap tools for their attacks. While Microsoft does not see the group as advanced, the company is concerned by how effective Gallium has been. Among the fast and dirty techniques being used is scanning for vulnerable web servers and using well known exploits to form attacks. “Compromising a web server gives Gallium a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing,” Microsoft Threat Intelligence Center (MSTIC) warns. “Following exploitation of the web servers, Gallium actors typically install web shells, and then install additional tooling to allow them to explore the target network.”
Easy Attacks
Gallium’s ability to use existing malware tools and use them to bypass security makes them both annoying and dangerous. Aome of those tools include Minikatz, HTRAN, NBTScan, PsExec, Netcat, Windows Credential Editor, and WinRAR. “To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network.” Microsoft points out the group has been largely inaction during the second half of 2019. It was more active through 2018 and during the first six months of this year. Redmond says sharing information about Gallium will unite the security community against preventing further attacks.