Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.
Dubbed SnapMC, the hacking group attempts to exploit multiple vulnerabilities in webserver and VPN applications for initial access and typically compromises victim networks in under 30 minutes.
The group then exfiltrates victim data to leverage it for extortion, but doesn’t use ransomware or other means of disrupting the victim’s operations.
SnapMC threatens to publish the stolen data online unless a ransom is paid, provides victims with a list of the stolen data as evidence of breach, and even goes through with the threats.
The adversary scans webserver applications and VPNs for multiple vulnerabilities that would allow it to gain access to the target environments. NCC Group has observed the group exploiting a remote code execution flaw in Telerik UI for ASPX.NET, as well as SQL injection bugs.
Following initial access, the adversary executes a payload to install a reverse shell for remote access. The observed payloads suggest SnapMC is using a publicly available proof-of-concept exploit targeting Telerik.
The threat actor also uses PowerShell scripts for reconnaissance and in one case attempted to escalate privileges. They also deploy various tools for data harvesting and exfiltration.
Given that SnapMC exploits known vulnerabilities for initial access, NCC Group encourages organizations to make sure all of their web-facing assets are kept up-to-date, which should mitigate the attack. Gaining visibility into vulnerable software and implementing robust detection and incident response mechanisms should also help fend off the attackers.
“In a ransomware attack, the adversary needs to achieve persistence and become a domain administrator before stealing data and deploying ransomware. While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact,” NCC Group concludes.
Related: Saudi Aramco Facing $50M Cyber Extortion Over Leaked Data
Related: DC Police Department Hit by Apparent Extortion Attack
Related: Double Extortion: Ransomware's New Normal Combining Encryption with Data Theft
