Evolving Cyber Threats: Hacktivist Tactics from Head Mare and Twelve

The recent investigation into cyberattacks targeting Russian companies underscores a worrying evolution in hacktivist tactics. In a series of incidents during September 2024, two groups—Head Mare and Twelve—appeared to have joined forces, sharing both techniques and even command-and-control (C2) infrastructure. This comprehensive analysis dives into the technical details uncovered in the report, the methods deployed by these adversaries, and what Windows users and IT professionals can learn from their evolving tactics.

---

A Convergence of Hacktivist Operations​

The research reveals that Head Mare, previously known for its phishing-driven intrusions, has stepped up its game by adopting tools and tactics long associated with the Twelve group. Notably:

• Shared Toolkits: Head Mare’s recent campaigns employed several publicly available and leaked tools, including mimikatz, ADRecon, secretsdump, ProcDump, and utilities like mRemoteNG and PSExec. What makes this particularly significant is the adoption of the CobInt backdoor—a tool that had only been seen in Twelve’s operations until now.
• Command-and-Control Overlap: Head Mare’s use of C2 servers that were previously linked exclusively to Twelve suggests coordinated or collaborative operations between the groups. This convergence is not only a sign of shared resources but also of a strategic evolution in their operational security and infrastructure choices.
• New Entrants in the Arsenal: The introduction of the PhantomJitter backdoor in August 2024 represents another shift. Deployed on servers for remote command execution, this tool further blurs the lines between the previously separate kill chains of Head Mare and Twelve.

---

Technical Anatomy of the Attack​

Initial Intrusion and Access Methods​

The attackers expanded their traditional phishing techniques by compromising trusted relationships. Here’s how they gained access:

• Phishing & Vulnerability Exploitation:
• Phishing emails with malicious attachments continue to be a primary vector.
• Exploitation of vulnerabilities such as CVE-2023-38831 in WinRAR and the long-known ProxyLogon vulnerability (CVE-2021-26855) on Microsoft Exchange servers (a critical concern given that many organizations still run outdated software).
• Compromised Contractors and RDP Abuse:
• Beyond phishing, the attackers infiltrated networks through compromised contractors with legitimate access to business automation platforms.
• They leveraged Remote Desktop Protocol (RDP) connections—an age-old yet still potent method when not sufficiently secured.

Summary: The combination of social engineering, exploitation of software vulnerabilities, and abuse of trusted relationships provided multiple avenues for these threat actors to breach secure environments.

Establishing a Foothold: Persistence and Anti-Detection Measures​

Once inside, the adversaries quickly established persistence while sneaking past detection mechanisms:

• Privileged Local Accounts:
• Instead of the more traditional scheduled tasks, attackers now create new local users with elevated privileges on business automation platforms. This approach not only aids persistence but also leverages RDP for interactive tool transfers.
• Traffic Tunneling Services:
• Tools like Localtonet, when combined with the Non-Sucking Service Manager (NSSM), offer a reliable way to run non-service applications as if they were native Windows services. This stealthy installation means that even if basic task scheduling is monitored, the traffic tunneling remains concealed.
• File Masquerading and Log Clearing:
• The attackers renamed executables—imagine cmd.exe being repurposed as log.exe—to blend into legitimate system processes.
• They also went to lengths to clear event logs and remove traces of their services using PowerShell commands, making forensic investigations even more challenging.

Quick Tips for Windows Users:
Regularly monitor system logs and consider deploying enhanced logging solutions that can alert you to unusual file renaming or new account creation activities.

Command and Control (C2) Infrastructure​

The command and control methodology reflects sophistication and resource sharing:

• PhantomJitter Backdoor Deployment:
• After exploiting business automation servers, the attackers downloaded the PhantomJitter backdoor from hard-coded URLs (e.g., using addresses like http://45.87.246[.]34:443/calc.exe). This malware established a direct tunnel for remote command execution.
• CobInt Backdoor Revisited:
• Aligning with Twelve’s previous footprint, CobInt payloads connected to domains such as 360nvidia[.]com, resolving to specific IP addresses. By merging these tools, the attackers not only diversified their C2 options but also increased redundancy in their command infrastructure.

Reflection: For IT administrators, it’s crucial to monitor outbound connections for anomalies, especially connections to IP addresses or domains that have previously been flagged in threat intelligence reports.

Pivoting with Custom PowerShell Scripts​

A particularly interesting aspect of the attack involves a custom PowerShell script—proxy.ps1—that plays a dual role:

• Dual-Role Script:
• The script downloads an archive, extracts it, and installs crucial tunneling tools like cloudflared and Gost, mimicking standard Windows services by placing executables in the System32 folder.
• It allows dynamic configuration using command-line parameters (such as specifying port numbers and tokens), thereby streamlining the setup of these proxies.
• Execution Details:
  The script’s options include:
• Installing the Gost service with a substitution in service configuration files.
• Configuring cloudflared with a secure token for establishing encrypted tunnels.
• The ability to uninstall these services cleanly when the -u flag is triggered, which was also highlighted in the investigation.

Recommendation: Ensure that PowerShell logging is configured to capture script execution details. This can be invaluable in identifying the misuse of legitimate tools and administration scripts.

Reconnaissance, Privilege Escalation, and Further Exploitation​

The attackers didn’t stop at initial access and persistence—they conducted detailed internal reconnaissance:

• Reconnaissance Tools:
• Standard system utilities like quser.exe, tasklist.exe, and netstat.exe were deployed along with network-specific tools such as SoftPerfect Network Scanner and fscan.
• The use of ADRecon scripts allowed for a granular assessment of the internal Active Directory environment, mapping computers, group memberships, and trust relationships.
• Post-Exploitation Tactics:
• Upon gaining remote access, the adversaries executed a command that invoked PowerShell (using techniques to bypass execution policies). This command fetched a remote script (vivo.txt) suspected of launching a reverse shell.
• The reverse shell activity resulted in the creation of persistent scripts (e.g., mcdrive.vbs and mcdrive.ps1) coupled with registry modifications to generate autorun entries.
• Credential Stealing:
• Tools such as mimikatz, secretsdump, and a newly identified Go-based sample (update.exe) were utilized to extract credentials and critical system files (like the ntds.dit file).
• The aggressive credential access aligns with best-known practices in lateral movement and further exploitation of compromised environments.

Security Note: Regularly audit credential usage and consider solutions that provide real-time alerts for abnormal processes, especially those attempting to extract sensitive data from directories or registry hives.

---

Implications for Windows Security and Best Practices​

The evolving tactics observed in this investigation signal several important takeaways for IT professionals:

• Patch Management is Paramount:
  With vulnerabilities like ProxyLogon remaining exploitable on legacy systems (e.g., Windows Server 2012 R2, Microsoft Exchange 2016), timely patching and system updates are no longer optional—it’s a critical security practice.
• Enhanced Monitoring and Logging:
  Given the stealthy tactics such as file masquerading and event log clearing, implementing advanced logging and monitoring systems that detect anomalies in user account activity or system file modifications is essential.
• User Awareness and Training:
  Social engineering remains a key component of these attacks. Ongoing employee training and robust email filtering are necessary to prevent initial compromise.
• Zero Trust and Network Segmentation:
  Given that attackers exploited trusted relationships between contractors and internal systems, adopting a Zero Trust architecture with strict network segmentation can substantially reduce lateral movement risks.

Final Thought: As hackers continue to refine their methods by integrating new tools with legacy techniques, the cybersecurity landscape demands a proactive and layered security approach. Windows users and IT professionals must be ever-vigilant, continuously updating and scrutinizing every facet of their network defenses.

---

In Closing​

The intricate interplay between Head Mare and Twelve in these joint campaigns offers a stark reminder that threat actors are not working in isolation—their collaboration further complicates attribution and defense. By dissecting the techniques, persistence mechanisms, and C2 strategies used in these attacks, security teams are better equipped to forecast potential vectors of compromise and fortify their systems. Vigilance, proactive patching, and a deep understanding of both emerging and established threat tools are key to staying ahead in this relentless cybersecurity arms race.

---

Source: Securelist Head Mare and Twelve: Joint attacks on Russian entities

 

[ChatGPT]

In a World Where Cyber Threats Evolve Daily, BaaS Steps Up as the Unsung Hero​

The days when backups were a mere precautionary cost have long been over. With cyber criminals relentlessly targeting backups to cripple organizations, Backup as a Service (BaaS) has emerged as a critical pillar for enhancing business resilience. This shift—from reactive to proactive disaster recovery—marks a significant evolution not only in cybersecurity strategy but also in the way companies approach data protection.

The Rising Menace: Cyber Criminals’ New Playground​

Cyber attackers have become adept at identifying and exploiting vulnerabilities in backup systems. Recent insights indicate that backup repositories are specifically targeted in 96% of ransomware attacks. Attackers are not only aiming at primary systems; they are meticulously going after the last lines of defense that organizations rely on during crises. Furthermore, the widespread deployment of Microsoft 365 has made it a common target, with 80% of these attacks involving Microsoft Office applications. Entra ID, for instance, faces an astonishing attack frequency—over 600 million attempts daily.

• Cyber criminals are pinpointing backups as soft spots in the cybersecurity chain.
• A significant share of these assaults now hones in on popular SaaS platforms like Microsoft 365.
• This trend highlights an urgent need for robust backup solutions that extend beyond the limitations of traditional cybersecurity measures.

Backup as a Service: Innovating and Securing Data Strategies​

With the mounting pressure from cyber threats, organizations are rethinking their data protection strategies. Traditional backups, once considered an "insurance policy," are now seen as vulnerable entry points. In contrast, BaaS delivers an outsourced, cloud-based solution that alleviates the resource-heavy maintenance of in-house backup systems. According to experts from Veeam Africa, including Gareth Clements and Driaan Odendaal, BaaS is transitioning from a mere auxiliary option to a critical component of comprehensive disaster recovery plans.

Key Benefits of BaaS​

• Cost-Efficiency: BaaS minimizes the need to invest heavily in internal infrastructure by shifting the maintenance and monitoring responsibilities to specialized service providers.
• Improved Resilience: A strategic move towards BaaS helps organizations maintain an immutable backup copy—a safeguard against the catastrophic impacts of data breaches and ransomware.
• Scalability and Flexibility: As businesses grow and adopt hybrid or multicloud architectures, BaaS accommodates varying workloads, from on-premises data to cloud applications.
• Enhanced Cyber Recovery: By facilitating quick and efficient data recovery, BaaS allows organizations to focus on innovation and growth rather than being bogged down by backup maintenance.

Gareth Clements aptly noted that BaaS and disaster recovery as a service (DRaaS) offer critical support by shifting the focus from routine maintenance to forward-thinking innovation. The assurance that backup systems will be ready to spring into action during incidents is a game changer for businesses operating in a high-risk cyber environment.

A Deep Dive into Veeam’s Data-Forward Approach​

Veeam, a leader in backup and disaster recovery solutions, has been at the forefront of innovating this space. Veeam’s recent webinar in partnership with ITWeb highlighted the strategic importance of BaaS and introduced cutting-edge solutions like the Veeam Data Platform and Veeam Data Cloud.

Veeam Data Platform and Data Cloud: Empowering Modern Cyber Resilience​

The Veeam Data Platform is designed to offer robust, self-managed backup protection that seamlessly covers hybrid and multicloud environments. Meanwhile, the Veeam Data Cloud serves as a fully managed service, specifically engineered to counter internal security threats, accidental deletions, and retention policy gaps. This dual approach ensures organizations are well-protected from every angle.

• Hybrid and Multicloud Coverage: The Data Platform ensures that businesses with diverse IT environments can secure data across both on-premises and cloud infrastructures.
• Granular Support and Flexibility: With features like the Flex solution for Microsoft 365, Veeam provides granular backup management. This solution is particularly effective for applications such as Teams, where traditional bulk backup methods fall short.
• Strategic Partnerships: Collaborations with industry giants like Microsoft enhance continuous product innovation, ensuring that backup solutions evolve in tandem with emerging threats.

Driaan Odendaal emphasized how the integration of Veeam’s Data Cloud with Microsoft’s backup solutions creates a complementary ecosystem. While Microsoft's backup service is proficient in executing bulk backups and restores, Veeam’s Data Cloud introduces a level of granularity and a beneficial “exit strategy” that Microsoft’s approach lacks. This strategic alliance underlines the importance of diversified yet integrated backup strategies that ensure no stone is left unturned when it comes to data protection.

The 3-2-1-1-0 Backup Strategy​

One notable innovation is the adherence to a comprehensive backup model known as the 3-2-1-1-0 rule. This strategy encapsulates the best practices for data resilience:

• Three copies of data: Maintain three instances of critical information.
• Two different media types: Store backups using two distinct media types to mitigate the risk of simultaneous failures.
• One off-site copy: Ensure at least one backup copy is located away from the primary data source.
• One immutable copy: Keep one version of the backup that cannot be tampered with or altered.
• Zero failures: Aim to achieve a flawless recovery process through meticulous planning and robust safeguards.

Veeam Data Cloud Vault, set to launch later in South Africa, is designed to bolster this backup strategy, providing an extra layer of security and resilience by enabling businesses to offload multiple backup copies into a secure cloud vault.

Challenges and the Road Ahead for BaaS Adoption​

The adoption of BaaS is on a steep upward trajectory. While only 16% of organizations currently utilize BaaS for protecting their on-premises and cloud workloads, projections suggest this figure will soar to 75% over the next three years. A recent webinar poll revealed that an overwhelming 97% of participants anticipate integrating cloud-based backup solutions within the next two years.

Overcoming the Hurdles​

• Resource Allocation: Organizations often view in-house backup management as resource-intensive. BaaS alleviates this burden by outsourcing data protection duties to dedicated experts.
• Complexity of Modern IT Environments: With the rapid evolution of hybrid and multicloud platforms, traditional backup methods are proving insufficient. Services like BaaS adapt to these diverse infrastructures, offering consistent protection across the board.
• Rising Cyber Threats: As cyber attacks grow in sophistication, the need for proactive defenses becomes imperative. BaaS solutions are designed to counteract these advanced threats, ensuring that response times are minimized during an attack.

Market Trends and Future Perspectives​

The move towards BaaS reflects broader technology trends focused on automation, cloud computing, and cybersecurity. Businesses are increasingly recognizing that robust backup solutions are not optional extras but essential components of a resilient IT strategy. The market is also witnessing a convergence of intelligent data management and sophisticated security measures, setting the stage for a future where data protection is seamlessly integrated into the fabric of business operations.

• Future backup strategies will likely incorporate artificial intelligence and machine learning to detect and respond to threats in real time.
• The growing complexity of regulatory and compliance requirements will push more organizations to adopt managed backup solutions that simplify these challenges.
• Strategic alliances, like those between Veeam and Microsoft, represent the industry's commitment to creating integrated solutions that build trust and enhance operational resilience.

Expert Analysis: Proactive Versus Reactive Cybersecurity Strategies​

One of the most compelling narratives in today’s cybersecurity discussions is the shift from a reactive stance to a proactive strategy. Traditional methods focused heavily on responding to breaches after they occurred. However, as cyber threats become more preemptive—attacking weak points like backup systems—the need for proactive measures is undeniable.

Key Takeaways from Proactive Backup Strategies​

• Anticipation Over Reaction: Companies are investing in BaaS to anticipate potential threats and ensure rapid recovery during and after an attack.
• Holistic Data Protection: The proactive approach enriches the overall cybersecurity framework by integrating backup solutions with broader IT security measures.
• Emphasis on Cyber Resilience: This paradigm shift is not only about backup speed and recovery time but also about ensuring that an organization’s continuity plans are foolproof.

By adopting proactive measures, organizations can reduce downtime, minimize the impact of cyber attacks, and protect sensitive data more effectively. Such strategies reinforce the notion that the real strength of a cybersecurity system lies in its ability to seamlessly recover from an incident, preserving both data integrity and business continuity.

Broader Implications for the Windows Ecosystem​

For Windows users, these developments underscore the evolving risk landscape where the threat extends beyond conventional hacking attempts to more insidious attacks on the data protection infrastructure. With cyber attackers honing in on products and services that integrate deeply with the Windows ecosystem—like Microsoft Office and Microsoft 365—users must be more vigilant than ever.

• Windows 11 Updates: Ensuring that Windows systems are current with all updates can reduce vulnerabilities. Regular patching and adherence to strict cybersecurity protocols are vital.
• Enhanced Data Recovery Options: As backups become a focal point for cyber threats, leveraging advanced BaaS solutions will be critical. This is especially true for organizations that depend on Windows environments for critical operations.
• Seamless Integration: The integration of BaaS with Windows-based systems, particularly through partnerships between leaders like Veeam and Microsoft, promises more streamlined and automated backup processes—a boon for IT departments across the board.

Expert Tips for IT Managers​

For IT professionals and decision-makers, it is essential to:

• Assess Existing Backup Strategies: Evaluate the current backup systems and identify any vulnerabilities. Conduct regular audits and simulations to understand potential points of failure.
• Invest in Scalable Solutions: Look for solutions that offer flexibility and scalability. As businesses adopt hybrid and multicloud environments, backup solutions must adapt accordingly.
• Train Staff on Cybersecurity Best Practices: Human error remains a significant risk factor. Ensure that all users are educated about safe computing practices to minimize inadvertent mistakes.
• Build a Multi-Layered Defense: Incorporate BaaS as part of a broader, multi-layered cybersecurity strategy. Ensure that your IT infrastructure is resilient enough to handle both external attacks and internal mishaps.

A Look to the Future​

The security landscape continues to evolve with emerging trends in artificial intelligence, cloud computing, and data analytics. As organizations increasingly recognize the importance of data integrity, the role of BaaS is set to expand further. This evolution is not merely about technology—it signals an overall strategic shift in business resilience planning.

• Investment in Cyber Recovery: With as many as 92% of organizations planning to increase their data protection budgets, cyber recovery is becoming a prioritized investment area.
• Integration of Advanced Technologies: Future backup solutions are expected to leverage AI-driven threat detection systems that can preemptively identify and neutralize potential attacks before they cause damage.
• Enhanced Compliance and Legal Safeguards: In an era where data privacy regulations are ever-tightening, robust backup strategies that support legal and compliance requirements will become indispensable.

Conclusion​

The cyber threat landscape is in a state of constant flux, and industries must pivot quickly to address emerging risks. BaaS is not merely a technological upgrade—it represents a fundamental shift in how organizations view and manage risk. By embracing advanced backup solutions like those offered by Veeam, businesses can secure their digital assets, ensure continuity, and ultimately foster an environment where innovation is driven by confidence and resilience.
For IT professionals, the message is clear: in a world where cyber criminals are targeting backups with unrelenting precision, proactive measures and robust backup solutions are no longer optional—they are essential. As businesses prepare for the future, BaaS stands out as a beacon of reliability, promising rapid recovery, enhanced data integrity, and the ability to stay a step ahead in this ever-evolving digital battleground.

---

Source: ITWeb BaaS becomes crucial as cyber criminals target backups