Hacktivist Group Twelve Targets Russian Entities with Harmful Cyber Assaults

Hacktivist Group Twelve Targets Russian Entities with Harmful Cyber Assaults
Hacktivist Group Twelve Targets Russian Entities with Harmful Cyber Assaults


A hacktivist group referred to as Twelve has been noticed utilizing an arsenal of publicly out there instruments to conduct harmful cyber assaults in opposition to Russian targets.

“Slightly than demand a ransom for decrypting information, Twelve prefers to encrypt victims’ information after which destroy their infrastructure with a wiper to forestall restoration,” Kaspersky said in a Friday evaluation.

“The method is indicative of a need to trigger most harm to focus on organizations with out deriving direct monetary profit.”

The hacking group, believed to have been fashioned in April 2023 following the onset of the Russo-Ukrainian battle, has a observe report of mounting cyber assaults that intention to cripple sufferer networks and disrupt enterprise operations.

It has additionally been noticed conducting hack-and-leak operations that exfiltrate delicate info, which is then shared on its Telegram channel.

Cybersecurity

Kaspersky stated Twelve shares infrastructural and tactical overlaps with a ransomware group referred to as DARKSTAR (aka COMET or Shadow), elevating the chance that the 2 intrusion units are seemingly associated to at least one one other or a part of the identical exercise cluster.

“On the identical time, whereas Twelve’s actions are clearly hacktivist in nature, DARKSTAR sticks to the basic double extortion sample,” the Russian cybersecurity vendor stated. “This variation of targets throughout the syndicate underscores the complexity and variety of recent cyberthreats.”

The assault chains begin with gaining preliminary entry by abusing legitimate native or area accounts, after which the Distant Desktop Protocol (RDP) is used to facilitate lateral motion. A few of these assaults are additionally carried out through the sufferer’s contractors.

“To do that, they gained entry to the contractor’s infrastructure after which used its certificates to hook up with its buyer’s VPN,” Kaspersky famous. “Having obtained entry to that, the adversary can connect with the shopper’s programs through the Distant Desktop Protocol (RDP) after which penetrate the shopper’s infrastructure.”

Distinguished among the many different instruments utilized by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Superior IP Scanner, and PsExec for credential theft, discovery, community mapping, and privilege escalation. The malicious RDP connections to the system are tunneled by ngrok.

Additionally deployed are PHP internet shells with capabilities to execute arbitrary instructions, transfer information, or ship emails. These programs, such because the WSO web shell, are available on GitHub.

In a single incident investigated by Kaspersky, the risk actors are stated to have exploited recognized safety vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to ship a web shell that then was used to drop a backdoor dubbed FaceFish.

“To realize a foothold within the area infrastructure, the adversary used PowerShell so as to add area customers and teams, and to change ACLs (Entry Management Lists) for Lively Listing objects,” it stated. “To keep away from detection, the attackers disguised their malware and duties below the names of present services or products.”

A number of the names used embody “Replace Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe.”

The assaults are additionally characterised by means of a PowerShell script (“Sophos_kill_local.ps1”) to terminate processes associated to Sophos safety software program on the compromised host.

Cybersecurity

The concluding levels entail utilizing the Home windows Job Scheduler to launch ransomware and wiper payloads, however not earlier than gathering and exfiltrating delicate details about their victims through a file-sharing service referred to as DropMeFiles within the type of ZIP archives.

“The attackers used a model of the favored LockBit 3.0 ransomware, compiled from publicly out there supply code, to encrypt the information,” Kaspersky researchers stated. “Earlier than beginning work, the ransomware terminates processes that will intervene with the encryption of particular person information.”

The wiper, equivalent to the Shamoon malware, rewrites the grasp boot report (MBR) on related drives and overwrites all file contents with randomly generated bytes, successfully stopping system restoration.

“The group sticks to a publicly out there and acquainted arsenal of malware instruments, which suggests it makes none of its personal,” Kaspersky famous. “This makes it potential to detect and stop Twelve’s assaults in due time.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.



Leave a Reply

Your email address will not be published. Required fields are marked *