In a significant cybersecurity development, Kaspersky has uncovered evidence suggesting that two known threat activity clusters, Head Mare and Twelve, have likely joined forces to target Russian entities. The collaboration is marked by the shared use of command-and-control (C2) servers and tools, indicating a coordinated effort to escalate cyber threats against Russian organizations.
TL;DR
- Collaboration Revealed: Threat activity clusters Head Mare and Twelve have likely joined forces to target Russian entities.
- Shared Infrastructure: Head Mare utilized command-and-control (C2) servers previously linked to Twelve, suggesting collaboration.
- New Tools: Head Mare deployed CobInt and PhantomJitter backdoors, tools previously associated with Twelve.
- Attack Methods: Exploited vulnerabilities in WinRAR and Microsoft Exchange, alongside phishing and contractor compromises.
- Ransomware Deployment: LockBit 3.0 and Babuk ransomware were used to encrypt data, with ransom notes directing victims to Telegram.
The Collaboration Between Head Mare and Twelve
Kaspersky’s findings reveal that Head Mare relied heavily on tools previously associated with Twelve, including the use of C2 servers exclusively linked to Twelve prior to these incidents. This overlap in infrastructure and tactics suggests a potential collaboration between the two groups, with Head Mare leveraging Twelve’s established resources to enhance their attack capabilities.
“Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents,” Kaspersky stated.
Tools and Techniques
Head Mare’s toolkit includes a mix of publicly available tools and custom malware. Notably, the group has introduced new tools such as CobInt, a backdoor previously observed in Twelve’s attacks, and PhantomJitter, a bespoke implant for remote command execution. These tools were deployed in attacks targeting Russian firms, with CobInt being used to gain remote access to domain controllers and PhantomJitter installed on servers for persistent control.
The attackers also exploited known vulnerabilities, including CVE-2023-38831 in WinRAR and CVE-2021-26855 (ProxyLogon) in Microsoft Exchange servers. Despite these vulnerabilities being patched, their exploitation highlights the continued use of outdated systems by targeted organizations.
Initial Access and Persistence
Head Mare’s initial access methods have evolved. While phishing emails with malicious attachments remain a common tactic, the group has also infiltrated victims’ infrastructure through compromised contractors with access to business automation platforms and RDP connections. This approach, known as the trusted relationship attack, allows the attackers to bypass traditional security measures.
Once inside, the attackers established persistence by creating new privileged local users on business automation platform servers. These accounts were then used to connect via RDP, enabling the transfer and execution of tools interactively. Additionally, traffic tunneling tools like Localtonet and Cloudflared were employed to maintain continuous access to compromised systems.
Ransomware Deployment
The attacks culminated in the deployment of LockBit 3.0 and Babuk ransomware, which encrypted data on compromised hosts. Ransom notes were left, urging victims to contact the attackers via Telegram for decryption instructions. This tactic aligns with previous Head Mare operations, where ransomware was used to extort payments from victims.
Implications and Future Monitoring
The collaboration between Head Mare and Twelve represents a significant escalation in cyber threats targeting Russian entities. The shared use of tools, infrastructure, and tactics suggests a deepening alliance between the two groups, potentially leading to more sophisticated and damaging attacks in the future.
Kaspersky has emphasized the importance of monitoring these groups closely, as their evolving techniques and shared resources could pose a growing threat to both state and privately controlled companies in Russia. The cybersecurity firm has pledged to continue sharing updates on the groups’ activities and tools.
Conclusion
The revelation of collaboration between Head Mare and Twelve underscores the dynamic and interconnected nature of modern cyber threats. As these groups continue to refine their methods and share resources, organizations must remain vigilant, ensuring their systems are updated and their defenses robust against such advanced threats.
References
- The Hacker News: Kaspersky Links Head Mare to Twelve
- Securelist: Head Mare and Twelve Join Forces
- Security Online: Inside the Collaboration
Metadata
Keywords: Head Mare, Twelve, Kaspersky, Russian entities, C2 servers, ransomware, cybersecurity, LockBit, Babuk, CobInt, PhantomJitter, WinRAR vulnerability, Microsoft Exchange vulnerability, phishing, trusted relationship attack.
