Experts from eSentire have determined that the infrastructure used to attack Cisco in May 2022 was used to compromise an unnamed HR solutions company a month earlier. Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.
Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.
Analysts at eSentire now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).
The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.
“With the help of Cobalt Strike, the attackers were able to gain a foothold in the system. They acted quickly from the moment of initial access to the moment when they were able to register their own virtual machine in the victim’s VPN network, ”the experts say.
Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics. Including due to the organization of a kerberoas attack on the Active Directory service and the use of RDP for promotion in the company’s network.
At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. It was these hackers who eventually published the stolen data that Cisco has on its dark website.
Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus $ group, and the Yanluowang ransomware operators.”