A hacktivist group often known as Twelve has been noticed utilizing an arsenal of publicly obtainable instruments to conduct harmful cyber assaults in opposition to Russian targets.
“Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery,” Kaspersky mentioned in a Friday evaluation.
“The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.”
The hacking group, believed to have been fashioned in April 2023 following the onset of the Russo-Ukrainian struggle, has a observe document of mounting cyber assaults that intention to cripple sufferer networks and disrupt enterprise operations.
It has additionally been noticed conducting hack-and-leak operations that exfiltrate delicate data, which is then shared on its Telegram channel.
Kaspersky mentioned Twelve shares infrastructural and tactical overlaps with a ransomware group known as DARKSTAR (aka COMET or Shadow), elevating the chance that the 2 intrusion units are doubtless associated to at least one one other or a part of the identical exercise cluster.
“At the same time, whereas Twelve’s actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern,” the Russian cybersecurity vendor mentioned. “This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats.”
The assault chains begin with gaining preliminary entry by abusing legitimate native or area accounts, after which the Distant Desktop Protocol (RDP) is used to facilitate lateral motion. A few of these assaults are additionally carried out by way of the sufferer’s contractors.
“To do this, they gained access to the contractor’s infrastructure and then used its certificate to connect to its customer’s VPN,” Kaspersky famous. “Having obtained access to that, the adversary can connect to the customer’s systems via the Remote Desktop Protocol (RDP) and then penetrate the customer’s infrastructure.”
Distinguished among the many different instruments utilized by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Superior IP Scanner, and PsExec for credential theft, discovery, community mapping, and privilege escalation. The malicious RDP connections to the system are tunneled by ngrok.
Additionally deployed are PHP net shells with capabilities to execute arbitrary instructions, transfer recordsdata, or ship emails. These applications, such because the WSO net shell, are available on GitHub.
In a single incident investigated by Kaspersky, the menace actors are mentioned to have exploited identified safety vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to ship a net shell that then was used to drop a backdoor dubbed FaceFish.
“To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects,” it mentioned. “To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services.”
Among the names used embody “Update Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe.”
The assaults are additionally characterised by way of a PowerShell script (“Sophos_kill_local.ps1”) to terminate processes associated to Sophos safety software program on the compromised host.
The concluding phases entail utilizing the Home windows Process Scheduler to launch ransomware and wiper payloads, however not earlier than gathering and exfiltrating delicate details about their victims by way of a file-sharing service known as DropMeFiles within the type of ZIP archives.
“The attackers used a model of the favored LockBit 3.0 ransomware, compiled from publicly obtainable supply code, to encrypt the information,” Kaspersky researchers mentioned. “Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files.”
The wiper, an identical to the Shamoon malware, rewrites the grasp boot document (MBR) on related drives and overwrites all file contents with randomly generated bytes, successfully stopping system restoration.
“The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own,” Kaspersky famous. “This makes it possible to detect and prevent Twelve’s attacks in due time.”
