Attack infrastructure used in Cisco hack linked to Evil Corp affiliate

Researchers discovered that the infrastructure used in Cisco hack was the same used to target a Workforce Management Solution firm.

Researchers from cybersecurity firm eSentire discovered that the attack infrastructure used in recent Cisco hack was also used to attack a top Workforce Management corporation in in April 2022.

The experts also speculate that the attack was orchestrated by a threat actor known as mx1r, who is an alleged member of the Evil Corp affiliate cluster dubbed UNC2165.

The UNC2165 group has been active since at least 2019, it was mainly observed using the FAKEUPDATES infection chain (aka  UNC1543) to access the victims’ networks. Experts noticed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections that were used to deploy BITPAYMER or DOPPELPAYMER in the last stage of the attack.

Previously, the UNC2165 actors also deployed the HADES ransomware.

According to eSentire, the crooks gained access to the workforce management corporation’s IT network using stolen Virtual Private Network (VPN) credentials.

The researchers discovered several underground forum posts, dating from April 2022, where mx1r was looking for VPN credentials for high-profile companies. The experts also discovered posts on a Dark Web access broker auction site where a threat actor was purchasing VPN credentials for large U.S. companies. 

The experts were also able to discover the attackers trying to move laterally in the network using a set of red team tools, including Cobalt Strike, network scanners and Active Domain crawlers.

“Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim’s VPN network.” reads the analysis published by the experts.

eSentire experts also observed the threat actor attempting to launch a Kerberoasting attack (cracking passwords within Windows Active Directory through the Kerberos authentication protocol) which is also consistent with the TTPs of the Evil Corp affiliate/UNC2165.

TTPs of the attack that hit the workforce management corporation match those of Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been seen deploying Hive and Yanluowang ransomware. eSentire tracks this infrastructure cluster as HiveStrike.

“It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand.” concludes the report. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco hack)

[adrotate banner=”5″]

[adrotate banner=”13″]