TWELVE Threat Attacks Windows to Encrypt then Deleting Victims’ Data

The Russian-Ukrainian conflict-linked hacktivist group Twelve, formed in April 2023, specializes in data encryption and deletion, causing significant IT disruption by exfiltrating sensitive data and posting it online. 

Twelve shares infrastructure and tactics with the ransomware group DARKSTAR, suggesting they belong to the same syndicate, but their motives differ, highlighting the complexity of modern cyberthreats.

The threat actor employs a reconnaissance-based attack strategy, scanning IP ranges for exposed VPNs and using freely available tools like Cobalt Strike and mimikatz. 

As they leverage compromised contractor accounts to gain initial access to target infrastructures via RDP, often exploiting vulnerabilities in VPN certificates.

Adversary action pattern

Investigators found numerous PHP web shells with random names on compromised Bitrix servers, which had various functionalities, including file movement and email sending. 

Publicly available tools were used by attackers to install these web shells. The FaceFish backdoor, loaded via a web shell, exploited vulnerabilities in the vSphere platform to gain persistence. 

Example of a remailer script used by the threat actor

The adversaries leveraged PowerShell and net.exe to modify Active Directory objects, create accounts and groups, and distribute malware by disguising malware as legitimate software and clearing event logs to evade detection. 

Attackers used Cobalt Strike for C2 communication, wget/curl to download tools, and also modified group policies and scheduled tasks for persistence.

They successfully pivoted within the compromised network using ngrok to tunnel RDP connections by employing a combination of Advanced IP Scanner, BloodHound, adPEAS, PowerView, and PowerShell to discover and map the domain infrastructure, identify potential vulnerabilities, and escalate privileges. 

Example of permissions granted with PowerView to an account of interest to the attackers

By leveraging legitimate credentials and modifying account attributes, they gained extensive access and control over the target system and used a combination of self-written scripts and publicly available tools to compromise systems. 

Batch and PowerShell scripts were used for various actions, including potentially disabling antivirus and copying malicious files, and then leveraged group policy objects to establish persistence and deploy ransomware and wipers across the domain. 

The attackers used mimikatz to dump local and domain credentials from the compromised systems and then used these credentials to laterally move within the victim’s network via RDP, PsExec, and PowerShell Remoting. 

Screenshot of calculator.exe running

Additionally, they employed the reg.exe and ntdsutil.exe utilities to extract system and domain credentials and the All-In-One Password Recovery Pro tool to collect further credentials from registry hives. 

According to Secure List, they also used LockBit 3.0 ransomware to encrypt victim data and then deployed wipers like hamoon to overwrite files and destroy MBRs after encryption. 

LockBit was spread via group policy and scheduled tasks, while PowerShell scripts were used to copy the wiper to the netlogon share and target devices. 

The threat actor Twelve prioritizes causing harm over financial gain, as their tactics involve encrypting data, destroying infrastructure, and publicly shaming victims by relying on known malware tools, making detection and prevention possible. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here