Hackers Attack Organization using Cisco Attack Infrastructure
Experts from cybersecurity firm eSentire found that the attack infrastructure used in recent Cisco hack was also used in targeting a top Workforce management corporation in April 2022.
They also observed that the attack was executed by a threat actor called as mx1r, who is an alleged member of the Evil Corp affiliate cluster called UNC2165.
What is UNC2165?
The UNC2165 is in action since 2019, it was known for using the FAKEUPDATES infection chain (aka UNC1543) to get access to victims' networks.
Experts observed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections which were used to execute BITPAYMER or DOPPELPAYMER in the final stage of the attack.
Hades ransomware was also used
Earlier, the UNC2165 actors also used the HADES ransomware. As per eSentire, the hackers accessed the workforce management corporation's IT network via stolen Virtual Private Network (VPN) credentials.
The experts found various underground forum posts, from April 2022, where mx1r was looking for VPN credentials for high-profile organizations.
They also found posts on a Dark Web access broker auction site where a threat actor was buying VPN credentials for big U.S companies.
Experts also find Cobalt Strike
The researchers also discovered the attackers attempting to move laterally in the network via a set of red team tools, this includes Cobalt strike, network scanners, and Active Domain crawlers.
The attackers used Cobalt Strike and were able to have initial foothold and hands-on-actions were quick and swift from the time of initial access to when the attacker could enlist their own Virtual Machine on the target VPN network.
eSentire researchers also noticed the attacker trying to launch a Kerberoasting attack (cracking passwords in Windows Active Directory via the Kerberos authentication protocol) which is also in line with the TTPs of the Evil Corp affiliate/UNC2165.
eSentire experts discovered the attack
TTPs of the attack that attacked the workforce management corporation are similar with Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been found using Hive and Yanlukwang ransomware. eSentire traces this infrastructure cluster as HiveStrike.
"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand,” eSentire report concludes. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”