Russia subjected to suspected joint Head Mare, Twelve attacks

Russia is having its government- and privately-controlled organizations targeted by the Head Mare and Twelve hacktivist operations in new joint intrusions, with the former previously found to have used tools and command-and-control servers linked to Twelve, The Hacker News reports. After exploiting known security vulnerabilities, including the ProxyLogon flaw, to facilitate the deployment of the CobInt backdoor associated with the Twelve, ExCobalt, and Crypt Ghouls groups, and the PhantomJitter implant, Head Mare proceeded to leverage various tools for reconnaissance, lateral movement, remote host communications, and data transfers before distributing the LockBit 3.0 and Babuk ransomware payloads, an analysis from Kaspersky revealed. Organizations subjected to the intrusions were then urged to communicate with hackers via Telegram for file decryption. Such findings come after North Korean state-backed threat operation APT37, also known as ScarCruft, Ricochet Chollima, Reaper, and Squid Werewolf, was reported by BI.ZONE to have targeted a Russian industrial firm in a December attack resembling the SHROUDED#SLEEP campaign in October.