In early 2022, an attack infrastructure targeting Cisco was also utilized in an attempted breach of an unnamed workforce management solutions holding company. This attempted intrusion occurred just one month prior to the Cisco incident, highlighting a strategy employed by cybercriminals to exploit vulnerabilities in various sectors.
According to cybersecurity firm eSentire, which unearthed these findings, the attacks may be attributed to an actor identified as mx1r, believed to be part of the notorious Evil Corp crime group and associated with a subgroup known as UNC2165. Evil Corp has a long history of deploying advanced malware, such as the renowned Dridex banking trojan, and has shifted to ransomware operations to evade sanctions imposed by the U.S. Treasury in December 2019.
Initial access to the targeted organization was achieved via stolen Virtual Private Network (VPN) credentials, allowing attackers to navigate deeper into the victim’s network using commercially available tools. The attackers employed Cobalt Strike, a widely-used penetration testing tool, for establishing their foothold within the network almost immediately after the initial breach.
In their investigation, eSentire noted that the attackers were efficient in registering their own virtual machine within the victim’s VPN network, allowing for greater control and persistence once inside. The tactics employed, including lateral movement and privilege escalation, are consistent with methods outlined in the MITRE ATT&CK Framework.
Furthermore, mx1r displayed similarities to UNC2165 through the use of Kerberoasting attacks targeting the Active Directory service, as well as Remote Desktop Protocol (RDP) access for further propagation within the network. This collaboration aligns with known techniques and tactics detailed in the MITRE ATT&CK framework, such as initial access, persistence, and lateral movement.
Interestingly, the Cobalt Strike infrastructure used in this operation bears resemblance to that of Conti ransomware affiliates, who have been previously linked to strains like Hive and Yanluowang. Yanluowang, in particular, has shifted to leaking files acquired from high-profile breaches, including the Cisco incident reported in May 2022.
Cisco has attributed the breach to specific threat groups, identifying connections to several organized collectives, including UNC2447, LAPSUS$, and the Yanluowang ransomware group. This multifaceted threat environment underscores the complexity of current cybercrime operations and their adaptive methodologies.
Though eSentire speculated on the potential collaboration between Evil Corp affiliates and Conti’s infrastructure, definitive conclusions remain elusive. The cybersecurity landscape is characterized by fluid partnerships among cybercriminal organizations, complicating attribution and response strategies for affected businesses.
As cyber threats continue to evolve, the imperative for organizations to reinforce their cybersecurity posture against such sophisticated attacks becomes increasingly critical. By understanding the methodologies employed by adversaries, businesses can better equip themselves to mitigate risks and safeguard their digital assets.
