Hacktivist collective Twelve has been observed leveraging a range of freely available tools to orchestrate malicious cyber attacks against Russian targets.
According to Kaspersky’s recent assessment, “Twelve” – a ransomware gang – has an unconventional approach: rather than demanding a ransom for decrypting information, it tends to encrypt victims’ data and then destroy their infrastructure with a wiper, making restoration impossible.
“The approach suggests a requirement to cause maximum harm in order to concentrate on companies without generating immediate financial returns.”
A group, allegedly formed in April 2023 in response to the ongoing Russo-Ukrainian conflict, has a history of escalating cyber attacks aimed at debilitating target networks and disrupting business continuity.
Conducting clandestine hack-and-leak operations, the group surreptitiously exfiltrates sensitive information, subsequently disseminating it on their encrypted Telegram channel.
According to Kaspersky, twelve shared infrastructural and tactical elements with a ransomware group known as COMET or Shadow, significantly increasing the probability that these two intrusion groups are linked or part of the same operation.
“While Twelve’s tactics are undoubtedly hacktivist-inspired, DARKSTAR adheres to the tried-and-true strategy of double extortion.” “This variation within the syndicate highlights the multifaceted nature of modern cyber threats, underscoring their complexity and diversity.”
Attackers initiate their campaign by exploiting existing authentication credentials for local or regional systems, thereby establishing a foothold. Subsequently, they leverage the Distant Desktop Protocol (RDP) to enable horizontal movement within the compromised network. Some of these assaults are also perpetrated by the victim’s own employees.
“In order to achieve this, hackers exploited a vulnerability by gaining access to the contractor’s infrastructure, and then utilized the acquired credentials to establish a connection with the client’s VPN, as revealed by Kaspersky.” Once inside, the attacker can leverage this access to connect to the customer’s systems via Remote Desktop Protocol (RDP), ultimately compromising their internal infrastructure.
Notable in their arsenal of tools are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Superior IP Scanner, and PsExec, employed for the purposes of credential extraction, network discovery, community mapping, and privilege escalation. Malicious Remote Desktop Protocol (RDP) connections to the system are being tunneled through an ngrok service.
Deployed alongside are PHP-based internet shells, boasting the ability to execute commands, transmit data, and dispatch emails, further amplifying their malicious potential. These resources are available on GitHub?
In one notable case investigated by Kaspersky Lab, threat actors exploited well-documented security vulnerabilities in VMware vCenter – specifically CVE-2021-21997 and CVE-2021-3180 – to deploy malware, which ultimately led to the installation of a notorious backdoor known as FaceFish.
“To infiltrate the targeted infrastructure, the attacker leveraged PowerShell to create new area customers and teams, as well as modify ACLs for Live Listing objects.” “To evade detection, the attackers cleverly concealed their malicious software and activities under the guise of existing services or products.”
Among the names employed are “Replace Microsoft,” “Yandex,” “YandexUpdate,” and “intel.exe.”
The attacks are also distinguished by a PowerShell script, dubbed “Sophos_kill_local.ps1,” which terminates processes related to Sophos security software on the compromised host.
The final stages involve leveraging Windows Task Scheduler to execute ransomware and wiper payloads, but only after compiling and exfiltrating sensitive information about victims through a file-sharing platform called DropMeFiles in the form of ZIP archives.
“The attackers leveraged a readily available model compiled from publicly accessible open-source code to encrypt the data,” Kaspersky researchers noted. Before initiating its malicious activity, the ransomware disrupts any processes that could interfere with the encryption of sensitive individual data.
The Wiper, akin to a malicious malware, forcibly updates the Master Boot Record (MBR) on affected drives, subsequently replacing all file content with scrambled binary data, thereby rendering system recovery futile.
The threat group relies on readily available and well-known malware tools, suggesting it does not develop any of its own. “This enables timely detection and prevention of Twelve’s attacks.”
