Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Infra Used in Cisco Hack Also Targeted Workforce Management Solution

The attack infrastructure used to target Cisco in the May 2022 incident was also employed against an attempted compromise of an unnamed workforce management solutions holding company a month earlier in April 2022.

Cybersecurity firm eSentire, which disclosed the findings, raised the possibility that the intrusions could be the work of a criminal actor known as mx1r, who is said to be a member of the Evil Corp affiliate cluster dubbed UNC2165.

Evil Corp, the progenitors of the infamous Dridex banking trojan, have, over the years, refined their modus operandi to run a series of ransomware operations to sidestep sanctions imposed by the U.S. Treasury in December 2019.

Initial access to the company’s IT network was made possible by using stolen Virtual Private Network (VPN) credentials, followed by leveraging off-the-shelf tools for lateral movement and gaining deeper access into the victim’s environment.

“Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim’s VPN network,” eSentire noted.

mx1r’s ties to UNC2165 stems from overlaps in tactics and techniques with that of UNC2165, including staging a Kerberoasting attack against the Active Directory service and the use of Remote Desktop Protocol (RDP) access for propagating within the company’s network.

The connections notwithstanding, the Cobalt Strike “HiveStrike” infrastructure used to mount the attack is said to match that of a Conti ransomware affiliate previously known to deploy Hive and Yanluowang strains, the latter of which has since posted files stolen from the Cisco breach in late May 2022 to its data leak site.

The networking equipment maker, earlier this month, attributed the incident to an initial access broker (IAB) with links to three different collectives: UNC2447, LAPSUS$, and Yanluowang ransomware. When reached for comment, Cisco Talos said it didn’t have anything to share beyond that analysis.

“It seems unlikely — but not impossible — that Conti would lend its infrastructure to Evil Corp,” eSentire said. In light of UNC2165’s recent pivot to LockBit ransomware, the company said “it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries.”

“It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates,” it further added.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…