The risk actor, shaped in 2023, focuses on ransomware assaults focusing on Russian authorities organizations. It encrypts and deletes sufferer information, exfiltrates delicate data, and goals to inflict most injury on important property.
The risk actor seemingly scans IP tackle ranges in Russia to determine VPN servers and functions accessible from the web that would function entry factors into goal organizations or their contractors.
Adversaries typically exploit contractors’ infrastructure to achieve entry to their clients’ networks, utilizing stolen credentials and RDP to maneuver laterally and compromise delicate programs.
The attackers deployed numerous net shells, primarily in PHP, to compromise net servers. These shells have been used to execute instructions, transfer recordsdata, and ship emails. Many of those shells have been publicly out there instruments and located in frequent places like Bitrix folders.
Free Webinar on The right way to Shield Small Companies In opposition to Superior Cyberthreats -> Free Registration
They exploited vCenter Server vulnerabilities (CVE-2021-21972, CVE-2021-22005) to deploy an internet shell, which they then used to load the FaceFish backdoor, which injects itself into the SSH course of.
It used PowerShell and internet.exe so as to add area accounts and teams, modify ACLs, and distribute malware by means of the duty scheduler and group insurance policies, gaining management over the area infrastructure.
The attackers disguised malware and duties beneath authentic names, cleared occasion logs and RDP connection historical past, and used Cobalt Strike and PowerShell instruments for C2 and payload distribution.
In addition they used Ngrok to create a distant entry tunnel to the compromised system, configuring it to hear on port 3389, disguised as a authentic system service to evade detection.
The adversary used numerous instruments to discover, uncover, and exploit the sufferer’s community and area infrastructure by leveraging authentic credentials to escalate privileges and modify account attributes to achieve extra management.
It makes use of self-written scripts (ps1, bat) to disable safety software program (Sophos) and doubtlessly collect area data (PowerView).
It used Process Scheduler to schedule malicious duties that executed ransomware and wipers on all area machines concurrently. These duties have been triggered by group coverage modifications and copied and executed the malicious recordsdata from a community share.
Varied instruments, corresponding to mimikatz, reg.exe, ntdsutil.exe, and All-In-One Password Restoration Professional, have been used to extract credentials from compromised programs after which leverage these credentials to maneuver laterally throughout the sufferer’s community utilizing RDP, PsExec, and PowerShell Remoting.
It efficiently extracted delicate sufferer information utilizing Telegram’s cached information folder, compromising privateness and doubtlessly enabling account impersonation.
LockBit 3.0 ransomware encrypts information and spreads by way of group insurance policies and PowerShell scripts, terminates safety software program, and deletes occasion logs.
Utilizing a publicly out there wiper to destroy information on sufferer infrastructures after encrypting recordsdata, the wiper overwrote MBR, file contents, and metadata, then deleted itself and shut down the system, which was unfold by way of PowerShell and scheduled duties.
In keeping with Kaspersky, Twelve is a hacktivist group centered on inflicting most injury to focus on organizations by means of information destruction and infrastructure disruption utilizing publicly out there malware instruments.
Analyse AnySuspicious Hyperlinks Utilizing ANY.RUN's New Protected Looking Device: Strive It for Free