Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Experts warn of a new wave of cyber attacks.
In the spring of 2024, the well-known group Twelve again announced itself on the cybercrime scene. After a brief lull, their activities once again attracted the attention of cybersecurity experts. At the end of June, attacks were recorded, during the analysis of which experts found identical methods and infrastructure previously used by this group. This was a strong indication that Twelve is continuing its destructive activities and will probably try to attack large targets again soon.
The Twelve group was formed in April 2023 and since then has specialized in attacks against Russian state-owned companies. The main tactic of the group is to encrypt victims ' data, which significantly complicates the restoration of the information infrastructure. As a result of such actions, organizations find themselves in an extremely vulnerable position, often without the ability to recover lost data. This method indicates the main goal of attackers — to cause maximum damage.
An interesting fact is that Twelve uses similar techniques and tools with another cybercrime group, DARKSTAR, which may indicate that both groups belong to the same syndicate. While DARKSTAR adheres to the classic extortion scheme, Twelve clearly operates with political and ideological motives.
In its attacks, Twelve actively uses well-known tools such as Cobalt Strike, Mimikatz and ngrok, as well as a number of web shells to penetrate victims networks and distribute its malicious code. Most of the tools that the group uses are available in open sources, which makes them accessible even to less experienced attackers.
One of the characteristic features of Twelve attacks is the use of social engineering methods to gain access to the internal network of the victim company through contractors. After gaining access to the contractor's infrastructure, hackers then use the contractor's credentials to break into the main company's network.
Attackers try to disguise their actions by hiding traces of their presence in systems and faking process names for legitimate services. They also actively use tools to clear their logs and other data that could help identify them.
One of the most striking examples of advanced methods used by Twelve was the FaceFish backdoor discovered by specialists, which was introduced into the VMware vCenter server through vulnerabilities. This malicious code allowed attackers to covertly control systems, collecting critical information.
The group's main strategy is aimed at maximizing the destruction of critical infrastructure, stealing confidential data, and discriminating against victims by publishing information about hacking in public Telegram channels. This approach demonstrates that Twelve's impact is not so much material as ideological.
The group also uses powerful cryptographers, such as LockBit 3.0, to block victims data. In some cases, they use vipers-programs that completely destroy data on hard drives, making their recovery impossible.
From the point of view of protection, experts emphasize the importance of timely detection and prevention of Twelve attacks. Using publicly available tools and methods makes their actions predictable, which gives them a chance to successfully repel attacks if the security tools are properly configured.
In conclusion, the Twelve cybercrime group continues to be one of the most dangerous and active at present. Its attacks pose a serious threat to organizations, especially those involved in critical infrastructure. Security experts strongly recommend that businesses strengthen their security measures and be prepared for possible attacks that can cause significant damage and endanger the activities of companies.
Source
In the spring of 2024, the well-known group Twelve again announced itself on the cybercrime scene. After a brief lull, their activities once again attracted the attention of cybersecurity experts. At the end of June, attacks were recorded, during the analysis of which experts found identical methods and infrastructure previously used by this group. This was a strong indication that Twelve is continuing its destructive activities and will probably try to attack large targets again soon.
The Twelve group was formed in April 2023 and since then has specialized in attacks against Russian state-owned companies. The main tactic of the group is to encrypt victims ' data, which significantly complicates the restoration of the information infrastructure. As a result of such actions, organizations find themselves in an extremely vulnerable position, often without the ability to recover lost data. This method indicates the main goal of attackers — to cause maximum damage.
An interesting fact is that Twelve uses similar techniques and tools with another cybercrime group, DARKSTAR, which may indicate that both groups belong to the same syndicate. While DARKSTAR adheres to the classic extortion scheme, Twelve clearly operates with political and ideological motives.
In its attacks, Twelve actively uses well-known tools such as Cobalt Strike, Mimikatz and ngrok, as well as a number of web shells to penetrate victims networks and distribute its malicious code. Most of the tools that the group uses are available in open sources, which makes them accessible even to less experienced attackers.
One of the characteristic features of Twelve attacks is the use of social engineering methods to gain access to the internal network of the victim company through contractors. After gaining access to the contractor's infrastructure, hackers then use the contractor's credentials to break into the main company's network.
Attackers try to disguise their actions by hiding traces of their presence in systems and faking process names for legitimate services. They also actively use tools to clear their logs and other data that could help identify them.
One of the most striking examples of advanced methods used by Twelve was the FaceFish backdoor discovered by specialists, which was introduced into the VMware vCenter server through vulnerabilities. This malicious code allowed attackers to covertly control systems, collecting critical information.
The group's main strategy is aimed at maximizing the destruction of critical infrastructure, stealing confidential data, and discriminating against victims by publishing information about hacking in public Telegram channels. This approach demonstrates that Twelve's impact is not so much material as ideological.
The group also uses powerful cryptographers, such as LockBit 3.0, to block victims data. In some cases, they use vipers-programs that completely destroy data on hard drives, making their recovery impossible.
From the point of view of protection, experts emphasize the importance of timely detection and prevention of Twelve attacks. Using publicly available tools and methods makes their actions predictable, which gives them a chance to successfully repel attacks if the security tools are properly configured.
In conclusion, the Twelve cybercrime group continues to be one of the most dangerous and active at present. Its attacks pose a serious threat to organizations, especially those involved in critical infrastructure. Security experts strongly recommend that businesses strengthen their security measures and be prepared for possible attacks that can cause significant damage and endanger the activities of companies.
Source
