Connect with us

Hi, what are you looking for?



Extortionist Hacker Group SnapMC Breaches Networks in Under 30 Minutes

Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.

Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.

Dubbed SnapMC, the hacking group attempts to exploit multiple vulnerabilities in webserver and VPN applications for initial access and typically compromises victim networks in under 30 minutes.

The group then exfiltrates victim data to leverage it for extortion, but doesn’t use ransomware or other means of disrupting the victim’s operations.

SnapMC threatens to publish the stolen data online unless a ransom is paid, provides victims with a list of the stolen data as evidence of breach, and even goes through with the threats.

The adversary scans webserver applications and VPNs for multiple vulnerabilities that would allow it to gain access to the target environments. NCC Group has observed the group exploiting a remote code execution flaw in Telerik UI for ASPX.NET, as well as SQL injection bugs.

Following initial access, the adversary executes a payload to install a reverse shell for remote access. The observed payloads suggest SnapMC is using a publicly available proof-of-concept exploit targeting Telerik.

The threat actor also uses PowerShell scripts for reconnaissance and in one case attempted to escalate privileges. They also deploy various tools for data harvesting and exfiltration.

Given that SnapMC exploits known vulnerabilities for initial access, NCC Group encourages organizations to make sure all of their web-facing assets are kept up-to-date, which should mitigate the attack. Gaining visibility into vulnerable software and implementing robust detection and incident response mechanisms should also help fend off the attackers.

Advertisement. Scroll to continue reading.

“In a ransomware attack, the adversary needs to achieve persistence and become a domain administrator before stealing data and deploying ransomware. While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact,” NCC Group concludes.

Related: Saudi Aramco Facing $50M Cyber Extortion Over Leaked Data

Related: DC Police Department Hit by Apparent Extortion Attack

Related: Double Extortion: Ransomware’s New Normal Combining Encryption with Data Theft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.