Researchers have been tracking an initial access broker for several years and its still causing rampant and despite striking up a predictable tune when it comes to the tools and tactics used to compromise organizations
Researchers were able to track five intrusions between July 2020 and July 2022, by the group it tracks as Gold Melody. Each of the attacks was snuffed out early, thanks in part to the group’s extensive yet predictable tactics, techniques, and procedures (TTPs), researchers have noted.
The nature of the group attack seems to be exploiting vulnerabilities such as CVE-2021-42237 — a critical 9.8-rated bug in the Sitecore content management platform; CVE-2017-5638 — another critical 10 out of 10-rated flaw affecting Apache Struts; the infamous Log4Shell vulnerability, and more. Each of these vulnerabilities was publicly known and patched, often years before Gold Melody exploited them in delinquent IT environments.
After the initial intrusion, the group typically attempts to establish persistence with Jakarta Server Pages Web shells. In one such case back in 2020, it used the Perl-based IHS Back-Connect backdoor. it performs reconnaissance on the victim environment, using Windows or Linux commands to display information about the host machine, user, directories, and more. Then it attempts to harvest credentials, like by using the Mimikatz pen-testing tool.
Besides Mimikatz, Gold Melody has a suite of other open source tools at its disposal like Wget, for retrieving files from a remote server as well as those from the cybercrime underground like “GOTROJ,” a Golang-based remote access Trojan (RAT) useful in establishing persistence, performing reconnaissance, and executing arbitrary commands on a host machine.
Earlier, CrowdStrike observed attacks that led to the deployment of Egregor and MountLocker ransomware. Similarly, Mandiant observed a compromise that enabled Gold Melody’s partners to install CryptoDefense ransomware. In all of these cases, the ransomware arrived in target networks anywhere from a couple of weeks to several months after Gold Melody’s job was done.
The natural hygiene is to follow simple steps that can be taken to snuff out the danger early, like patching the perimeter, your Internet facing systems that vulnerability management piece is super important.