In September 2024, a wave of attacks targeted numerous Russian companies, meticulously executing tactics reminiscent of two prominent hacktivist groups: Head Mare and Twelve. Analysis shows a substantial overlap in tools and resources, suggesting a collaborative effort between these entities.
This discussion delves into the software and techniques employed in recent Head Mare attacks, delineating the evolution of their tactics, techniques, and procedures (TTPs) while drawing parallels with Twelve’s methodologies.
Head Mare’s Evolving Toolkit
The hackers utilized a variety of tools, both open-source and proprietary, to facilitate their operations. Their arsenal included:
- mimikatz
- ADRecon
- secretsdump
- ProcDump
- Localtonet
- ngrok
- cloudflared
- and many more.
Notably, the inclusion of the CobInt backdoor, previously exclusive to Twelve, underscores the shared capabilities and potential collaboration among these hacking groups.
Initial Access and Advanced Techniques
Shifting tactics, Head Mare introduced new methods for initial access by compromising contractors with legitimate access to business automation systems. This tactic capitalizes on trusted relationships, often seen in modern cyber exploits.
The attackers frequently exploited known vulnerabilities, such as CVE-2023-38831, indicating a systematic approach to identify and leverage weak links within their targets’ networks. Additionally, techniques for establishing persistence have evolved; rather than using scheduled tasks, the attackers create privileged local accounts to interact directly with the compromised systems.
Their ability to masquerade malicious tools as standard OS files further highlights their sophistication, employing renaming and path obfuscation tactics to evade detection.
Command and Control Mechanisms
Command-and-control (C2) strategies have also adapted, utilizing backdoors such as PhantomJitter and CobInt to maintain control over compromised systems. Infrastructure overlaps have been noted, with shared IPs such as 360nvidia.com, indicating potential cooperation in operational strategies.
Through advanced scripting, including customized PowerShell scripts, the attackers established secure tunnels that bypassed traditional network security measures, allowing them to execute commands and exfiltrate sensitive data with greater ease.
Conclusion and Strategic Insights
The reported activities of Head Mare demonstrate an alarming evolution in cooperative cyber threat tactics. By leveraging shared tools and collaborative strategies, both Head Mare and Twelve pose an increasing risk to organizations, particularly those in sensitive sectors such as manufacturing and government.
Understanding these dynamics is crucial. Organizations must enhance their cybersecurity postures by implementing advanced monitoring systems and educating employees about phishing and social engineering tactics.
