A Ukranian hacktivist group that is considered to have come into existence in April 2023 has been actively using its arsenal to destruct Russian targets. “Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery,” Kaspersky said in a Friday analysis. Twelve unlike other hackers does not aim for financial gains but look to cause intense damage by destroying the entire infrastructure of the target.
The modus operandi observed for attack chains start with gaining initial access by abusing valid local or domain accounts, after which the Remote Desktop Protocol (RDP) is used to facilitate lateral movement. Some of these attacks are also carried out via the victim’s contractors.
By taking the attack vector through contractors the group aims for access to the contractor’s infrastructure and then uses his certificate to connect to its customer’s VPN. Having obtained access to that, the adversary can connect to the customer’s systems via the Remote Desktop Protocol (RDP) and then penetrate the customer’s infrastructure.
In one incident investigated by Kaspersky, the threat actors are said to have exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deliver a webshell that was further used to drop a backdoor dubbed FaceFish. To gain a foothold in the domain infrastructure, the group used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects it said. To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services. The attackers used LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the customer data,” Kaspersky researchers said.
The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.
The only relief is that Twelve uses public tools and scripts for crafting their attack and hence it become a bit easier to safeguard against them however leaving any security misconfiguration for abuse could quickly result in irrecoverable loss of customers data as multiple hacker groups are always on the lookout for such easy targets.
