Cyber Group ‘Gold Melody’ Promoting Compromised Entry to Ransomware Attackers

Sep 21, 2023THNCyber Menace / Ransomware

A financially motivated menace actor has been outed as an preliminary entry dealer (IAB) that sells entry to compromised organizations for different adversaries to conduct follow-on assaults similar to ransomware.

SecureWorks Counter Menace Unit (CTU) has dubbed the e-crime group Gold Melodywhich can be recognized by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

“This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers,” the cybersecurity firm said.

“The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption.”

Cybersecurity

Gold Melody has been previously linked to attacks exploiting safety flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers.

The cybercrime group has been noticed increasing its victimology footprint to strike retail, well being care, vitality, monetary transactions, and high-tech organizations in North America, Northern Europe, and Western Asia as of mid-2020.

Mandiant, in an evaluation printed in March 2023, stated that “in multiple instances, UNC961 intrusion activity has preceded the deployment of Maze and Egregor ransomware from distinct follow-on actors.”

It additional described the group as “resourceful in their opportunistic angle to initial access operations” and famous it “employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using publicly available exploit code.”

In addition to counting on a various arsenal comprising net shells, built-in working system software program, and publicly accessible utilities, it is recognized to make use of proprietary distant entry trojans (RATs) and tunneling instruments similar to GOTROJ (aka MUTEPUT), BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN to execute arbitrary instructions, collect system info, and set up a reverse tunnel with a hard-coded IP handle.

Secureworks, which linked Gold Melody to 5 intrusions between July 2020 and July 2022, stated these assaults entailed the abuse of a special set of flaws, together with these impacting Oracle E-Enterprise Suite (CVE-2016-0545), Apache Struts (CVE-2017-5638), Sitecore XP (CVE-2021-42237), and Flexera FlexNet (CVE-2021-4104) to acquire preliminary entry.

UPCOMING WEBINAR

AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Able to sort out new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to handle the rising menace of generative AI in cybersecurity.

Supercharge Your Skills

A profitable foothold is succeeded by the deployment of net shells for persistence, adopted by creating directories within the compromised host to stage the instruments used within the an infection chain.

“Gold Melody conducts a considerable amount of scanning to understand a victim’s environment,” the corporate stated. “Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.”

The reconnaissance part paves the way in which for credential harvesting, lateral motion, and knowledge exfiltration. That stated, all 5 assaults finally proved to be unsuccessful.

“Gold Melody acts as a financially motivated IAB, selling access to other threat actors,” the corporate concluded. “The buyers subsequently monetize the access, likely through extortion via ransomware deployment.”

“Its reliance on exploiting vulnerabilities in unpatched internet-facing servers for access reinforces the importance of robust patch management.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.


Author: data@thehackernews.com (The Hacker Information)
Date: 2023-09-21 05:11:00

Source link

spot_imgspot_img

Subscribe

Related articles

Navigating the following horizon of SIM know-how

With that, we come to the top of this...

New Backdoor Focusing on European Officers Linked to Indian Diplomatic Occasions

Feb 29, 2024NewsroomCyber Espionage / Malware A beforehand undocumented risk...
spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here