The emergence of coordinated cyberattacks has become a significant threat, especially when distinct groups unite for a common goal. In September 2024, a series of sophisticated attacks targeted Russian companies, notably revealing tactics linked to two notorious hacktivist groups: Head Mare and Twelve. Reports indicate that Head Mare employed tools and command-and-control (C2) servers that were exclusively associated with Twelve, signaling a possible collaboration between these groups.
This analysis explores the evolving tactics, techniques, and procedures (TTPs) of Head Mare and highlights the shared methodologies observed in Twelve’s operations. By examining the tools employed and the nature of the attacks, organizations can better understand these evolving threats.
Head Mare’s Expansive Toolkit
Recent investigations have identified an array of techniques utilized by Head Mare, revealing their reliance on both established and novel tools to execute attacks. Notably, their toolkit includes:
- mimikatz, a popular credential-dumping tool.
- ADRecon, historically used for gathering information from Active Directory.
- secretsdump and ProcDump, for extracting sensitive data.
- Localtonet and ngrok, utilized for creating persistent access through tunneling.
- Newly introduced tools include the CobInt backdoor and PhantomJitter, underscoring adaptability in their approach.
Furthermore, the incorporation of CobInt, previously exclusive to Twelve’s realm, indicates a sharing of assets that amplifies the threat posed to organizations.
Refined Approach to Initial Access and Persistence
Head Mare’s tactics for initial access have evolved, indicating a more sophisticated strategy. Previously dependent on phishing emails, the group now adopts methods that exploit trust within organizations by compromising contractors. This shift is evident in their successful exploitation of vulnerabilities like CVE-2023-38831 and CVE-2021-26855 (ProxyLogon), emphasizing the importance of maintaining updated systems in preventing breaches.
Moreover, persistence mechanisms have changed, as attackers now create privileged local users within targeted systems. This allows them to leverage RDP connections continuously. Traffic tunneling tools also facilitate uninterrupted access, showcasing their strategic expansion of attack frameworks.
Command and Control Structure
The command-and-control strategies for Head Mare showcase a meticulous design. Using the PhantomJitter backdoor, attackers can maintain control over compromised environments via C2 servers such as 360nvidia.com, which further blurs the lines of attribution. Additionally, the use of customized PowerShell scripts demonstrates their ability to bypass standard defense mechanisms effectively.
Another worrisome trend includes the overlap in malware and infrastructure between Head Mare and Twelve. The shared IP addresses and C2 domains suggest a level of cooperation that could enhance their operational capabilities.
Conclusion and Recommendations
The alliance between Head Mare and Twelve represents a significant shift in cyber threat dynamics. Organizations must bolster their defenses against this evolving threat landscape by investing in advanced security measures, continuous monitoring, and awareness training for their personnel. Proactively addressing vulnerabilities and deploying modern security tools can mitigate the risks presented by these collaborative cyberattacks.
For further insights into these hacker groups and their methods, organizations are encouraged to explore detailed reports and recommendations available on our Threat Intelligence Portal.
