.webp) |
A hacktivist group known as Twelve has been detected employing an arsenal of publicly accessible tools to undertake devastating cyber operations against Russian sites.
"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky stated in a Friday investigation.
"The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit."
The hacker squad, thought to have been created in April 2023 after the commencement of the Russo-Ukrainian conflict, has a track record of launching cyber assaults that try to impair target networks and disrupt corporate activities.
It has also been detected executing hack-and-leak operations that exfiltrate sensitive material, which is subsequently disseminated on its Telegram channel.
Kaspersky claimed Twelve has infrastructural and tactical parallels with a ransomware organization dubbed DARKSTAR (aka COMET or Shadow), suggesting the idea that the two intrusion sets are likely connected to one another or part of the same activity cluster.
"At the same time, whereas Twelve's actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern," the Russian cybersecurity provider added. "This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats."
The attack chains start with acquiring initial access by misusing legal local or domain accounts, after which the Remote Desktop Protocol (RDP) is utilized to allow lateral movement. Some of these assaults are also carried out via the victim's contractors.
"To do this, they gained access to the contractor's infrastructure and then used its certificate to connect to its customer's VPN," Kaspersky observed. "Having obtained access to that, the adversary can connect to the customer's systems via the Remote Desktop Protocol (RDP) and then penetrate the customer's infrastructure."
Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. The malicious RDP connections to the system are tunneled with ngrok.
Also deployed are PHP web shells with ability to run arbitrary instructions, transfer files, or send emails. These tools, such as the WSO web shell, are publicly accessible on GitHub.
 |
In one instance reviewed by Kaspersky, the threat actors are reported to have exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to provide a web shell that subsequently was used to deploy a backdoor nicknamed FaceFish.
"To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects," it stated. "To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services."
Some of the names used include "Update Microsoft," "Yandex," "YandexUpdate," and "intel.exe," suggesting an effort to dodge detection by masquerading as applications from Intel, Microsoft, and Yandex.
The attacks are also characterized by the use of a PowerShell script ("Sophos_kill_local.ps1") to terminate processes connected to Sophos security software on the compromised system.
The finishing steps comprise utilizing the Windows Task Scheduler to deploy ransomware and wiper payloads, but not before collecting and exfiltrating sensitive information about its victims via a file-sharing service called DropMeFiles in the form of ZIP packages.
"The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data," Kaspersky researchers added. "Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files."
The wiper, similar to the Shamoon virus, rewrites the master boot record (MBR) on attached disks and overwrites all file contents with randomly generated bytes, thereby preventing system recovery.
"The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own," Kaspersky stated. "This makes it possible to detect and prevent Twelve's attacks in due time."