Jump to content
  • Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests

    aum

    • 362 views
    • 2 minutes
     Share


    • 362 views
    • 2 minutes

    A new report by pure-play managed detection and response (MDR) service provider eSentire has connected the data breach affecting Cisco Talos systems in May with an Evil Corp-affiliate group.


    More specifically, eSentire's Threat Response Unit (TRU) discovered that the IT infrastructure used to attack Cisco was also deployed in an attempted compromise of one of its clients in April 2022.


    "TRU believes that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack," eSentire wrote.


    According to security company Mandiant the threat actor known as mx1r would be a member of an Evil Corp affiliate group called UNC2165.


    For context, in an advisory published after the May attack, Cisco attributed their breach to a threat actor with ties to the Lapsus$ threat group, the Yanluowang ransomware operators, and a group that Mandiant calls UNC2447.


    Fast forward to the present day, the MDR advisory clarified that while the tactics, techniques, and procedures (TTPs) of the attack against the workforce management corporation matched those of Evil Corp, the infrastructure used matched that of a Conti ransomware affiliate, which has been seen deploying both Hive and Yanluowang ransomware payloads.


    "Looking at various technical details of the malicious infrastructure leveraged, TRU discovered a handful of additional instances of Cobalt Strike infrastructure," eSentire wrote.


    "TRU tracks this infrastructure cluster as HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a reputation for attacking critical targets including hospitals, energy companies and IT companies."


    According to eSentire's report, HiveStrike also bears some similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti.


    "It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp," reads the advisory.


    eSentire concluded its advisory by providing a series of suggestions to help companies protect their systems from cyber-attacks. These include having offline backup copies of all critical files, using multi-factor authentication (MFA) and only allowing administrators to access network appliances using a VPN service, among others.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...