A hacktivist group called Twelve has been seen launching damaging cyberattacks against Russian targets utilizing a plethora of openly accessible resources.
“Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery,” Kaspersky said in a Friday analysis.
“The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.”
The hacker gang has a history of launching cyberattacks with the intention of damaging victim networks and interfering with commercial activities. It is thought that the group was founded in April 2023, following the start of the Russo-Ukrainian war.
Additionally, it has been seen engaging in hacking and leaks to obtain private data, which is subsequently posted on its Telegram channel.
Twelve and DARKSTAR (also known as COMET or Shadow) are two ransomware groups that have similarities in both infrastructure and tactics, according to Kaspersky. This suggests that the two intrusion sets are either connected or components of the same activity cluster.
“At the same time, whereas Twelve’s actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern,” the Russian cybersecurity vendor said. “This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats.”
First, legitimate local or domain accounts are abused to obtain initial access, and then the Remote Desktop Protocol (RDP) is utilized to enable lateral movement. Additionally, some of these attacks are executed through the contractors of the victim.
“To do this, they gained access to the contractor’s infrastructure and then used its certificate to connect to its customer’s VPN,” Kaspersky noted. “Having obtained access to that, the adversary can connect to the customer’s systems via the Remote Desktop Protocol (RDP) and then penetrate the customer’s infrastructure.”
Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec are notable other tools that Twelve uses for network mapping, privilege escalation, credential theft, and discovery. Through Ngrok, the malicious RDP connections to the system are tunneled.
PHP web shells that can move files, send emails, and run arbitrary commands are also deployed. These scripts are easily accessible on GitHub, including the WSO web shell.
Threat actors allegedly used existing security flaws in VMware vCenter (such as CVE-2021-21972 and CVE-2021-22005) to deliver a web shell, which was subsequently used to install a backdoor known as FaceFish in one event that Kaspersky looked into.
“To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups and to modify ACLs (Access Control Lists) for Active Directory objects,” it said. “To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services.”
A few of the names that are utilized are “Update Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe,” suggesting an effort to pass for legitimate software from Yandex, Microsoft, and Intel in order to avoid detection.
Another characteristic of the assaults is the usage of a PowerShell script called “Sophos_kill_local.ps1” to end Sophos security software-related processes on the compromised server.
The last phases involve launching ransomware and wiper payloads via the Windows Task Scheduler, but not before collecting and stealing private data about their victims through a file-sharing platform named DropMeFiles in the ZIP archive format.
“The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data,” Kaspersky researchers said. “Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files.”
Similar to the Shamoon malware, the wiper replaces all file contents with randomly generated bytes and modifies the master boot record (MBR) on linked disks, impeding system recovery.
“The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own,” Kaspersky noted. “This makes it possible to detect and prevent Twelve’s attacks in due time.”
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.