Threat actor mx1r, which is believed to be a member of Evil Corp affiliate UNC2165, has been suspected to have targeted an unnamed workforce management corporation in April with the attack infrastructure leveraged in the ransomware attack against Cisco the following month, reports The Hacker News.
Stolen VPN credentials have been leveraged by mx1r to obtain initial access to the targeted firm's network before using off-the-shelf tools to achieve lateral movement and more extensive network access, according to an eSentire report.
"Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim's VPN network," said eSentire.
Meanwhile, similarities in techniques and tactics, including the use of a Keberoasting attack and the Remote Desktop Protocol, have prompted researchers to associate mx1r with UNC2165.
While the "HiveStrike" infrastructure used in the attack was similar to infrastructure leveraged by a Conti ransomware affiliate for Hive and Yanluowang ransomware deployment, researchers believe that it is more likely that UNC2165 may be working with new Conti subsidiaries rather than Conti lending its infrastructure to Evil Corp.
Officials at the City of Augusta, Georgia, have been noted by Mayor Garnett Johnson to have not communicated with the BlackByte ransomware operation that took credit for a cyberattack against the city that commenced on May 21, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks exploiting a zero-day in the MOVEit Transfer file transfer app to compromise various servers and facilitate data exfiltration efforts have been admitted by the Clop ransomware operation, also known as Lace Tempest, TA505, and FIN11, after the intrusions have been attributed to the group by Microsoft, reports BleepingComputer.