Threat actor mx1r, which is believed to be a member of Evil Corp
affiliate UNC2165, has been suspected to have targeted an unnamed workforce management corporation in April with the attack infrastructure leveraged in the ransomware attack against Cisco the following month, reports The Hacker News
Stolen VPN credentials have been leveraged by mx1r to obtain initial access to the targeted firm's network before using off-the-shelf tools to achieve lateral movement and more extensive network access, according to an eSentire report.
"Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim's VPN network," said eSentire.
Meanwhile, similarities in techniques and tactics, including the use of a Keberoasting attack and the Remote Desktop Protocol, have prompted researchers to associate mx1r with UNC2165.
While the "HiveStrike" infrastructure used in the attack was similar to infrastructure leveraged by a Conti ransomware affiliate for Hive and Yanluowang ransomware deployment, researchers believe that it is more likely that UNC2165 may be working with new Conti subsidiaries rather than Conti lending its infrastructure to Evil Corp.