For every hacked company, there is bound to be a buyer.
The financially motivated Gold Melody group was recently identified as an initial access broker (IAB) that sells third-party cybercriminals access to compromised organizations for subsequent attacks.
The pseudonym "Gold Melody" was assigned to the group by Secureworks researchers, but it is also known under the names "Prophet Spider"(CrowdStrike) and "UNC961" (Mandiant).
According to Secureworks, Gold Melody hackers have been active since 2017 and specialize in hacking organizations by exploiting vulnerabilities in uncorrected servers accessible from the Internet.
The attacks of this group are primarily financially motivated and are aimed at making a profit, rather than acting in the interests of state structures.
Gold Melody has previously been linked to attacks on the servers of JBoss Messaging, Citrix ADC, Oracle WebLogic, Apache Log4j, GitLab, and others.
Mid-2020 marked the expansion of the group's area of operations. The attacks targeted organizations in the retail, healthcare, energy, financial operations, and high-tech industries. Geography began to include North America, Northern Europe, and Western Asia.
Analysts at Mandiant note that UNC961's actions often precede the deployment of ransomware such as Maze and Egregor. With a very diverse arsenal of tools, Gold Melody also often uses its own Trojans and remote access tools, such as GOTROJ and BARNWORK.
Between July 2020 and July 2022, Secureworks specialists linked Gold Melody to five different intrusions, during which completely different vulnerabilities were exploited. After successful penetration of the system, web shells are usually deployed to hold positions, and then directories are created in the compromised host for step-by-step placement of tools used in subsequent attacks.
The exploration phase provides a solid foundation for credential mining, horizontal movement, and data extraction. After it is implemented, a group can sell access to another group of intruders who have their own plans for the selected company.
It is noteworthy that all five attacks of Gold Melody from 2020 to 2022, which Secureworks linked to the group, were ultimately unsuccessful. Despite this, the researchers emphasize that the actions and methods of Gold Melody are a reminder of the importance of timely updating of software used in organizations.
Patches for most vulnerabilities exploited by attackers are usually released very quickly, while companies themselves delay installing patches on their systems. And enterprising hackers simply can't resist seeing such tasty and vulnerable targets on their cyber radar.
The financially motivated Gold Melody group was recently identified as an initial access broker (IAB) that sells third-party cybercriminals access to compromised organizations for subsequent attacks.
The pseudonym "Gold Melody" was assigned to the group by Secureworks researchers, but it is also known under the names "Prophet Spider"(CrowdStrike) and "UNC961" (Mandiant).
According to Secureworks, Gold Melody hackers have been active since 2017 and specialize in hacking organizations by exploiting vulnerabilities in uncorrected servers accessible from the Internet.
The attacks of this group are primarily financially motivated and are aimed at making a profit, rather than acting in the interests of state structures.
Gold Melody has previously been linked to attacks on the servers of JBoss Messaging, Citrix ADC, Oracle WebLogic, Apache Log4j, GitLab, and others.
Mid-2020 marked the expansion of the group's area of operations. The attacks targeted organizations in the retail, healthcare, energy, financial operations, and high-tech industries. Geography began to include North America, Northern Europe, and Western Asia.
Analysts at Mandiant note that UNC961's actions often precede the deployment of ransomware such as Maze and Egregor. With a very diverse arsenal of tools, Gold Melody also often uses its own Trojans and remote access tools, such as GOTROJ and BARNWORK.
Between July 2020 and July 2022, Secureworks specialists linked Gold Melody to five different intrusions, during which completely different vulnerabilities were exploited. After successful penetration of the system, web shells are usually deployed to hold positions, and then directories are created in the compromised host for step-by-step placement of tools used in subsequent attacks.
The exploration phase provides a solid foundation for credential mining, horizontal movement, and data extraction. After it is implemented, a group can sell access to another group of intruders who have their own plans for the selected company.
It is noteworthy that all five attacks of Gold Melody from 2020 to 2022, which Secureworks linked to the group, were ultimately unsuccessful. Despite this, the researchers emphasize that the actions and methods of Gold Melody are a reminder of the importance of timely updating of software used in organizations.
Patches for most vulnerabilities exploited by attackers are usually released very quickly, while companies themselves delay installing patches on their systems. And enterprising hackers simply can't resist seeing such tasty and vulnerable targets on their cyber radar.
