Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Extortionist Hacker Group SnapMC Breaches Networks in Under 30 Minutes

Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.

Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations, researchers with the NCC Group reveal.

Dubbed SnapMC, the hacking group attempts to exploit multiple vulnerabilities in webserver and VPN applications for initial access and typically compromises victim networks in under 30 minutes.

The group then exfiltrates victim data to leverage it for extortion, but doesn’t use ransomware or other means of disrupting the victim’s operations.

SnapMC threatens to publish the stolen data online unless a ransom is paid, provides victims with a list of the stolen data as evidence of breach, and even goes through with the threats.

The adversary scans webserver applications and VPNs for multiple vulnerabilities that would allow it to gain access to the target environments. NCC Group has observed the group exploiting a remote code execution flaw in Telerik UI for ASPX.NET, as well as SQL injection bugs.

Following initial access, the adversary executes a payload to install a reverse shell for remote access. The observed payloads suggest SnapMC is using a publicly available proof-of-concept exploit targeting Telerik.

The threat actor also uses PowerShell scripts for reconnaissance and in one case attempted to escalate privileges. They also deploy various tools for data harvesting and exfiltration.

Given that SnapMC exploits known vulnerabilities for initial access, NCC Group encourages organizations to make sure all of their web-facing assets are kept up-to-date, which should mitigate the attack. Gaining visibility into vulnerable software and implementing robust detection and incident response mechanisms should also help fend off the attackers.

“In a ransomware attack, the adversary needs to achieve persistence and become a domain administrator before stealing data and deploying ransomware. While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact,” NCC Group concludes.

Related: Saudi Aramco Facing $50M Cyber Extortion Over Leaked Data

Related: DC Police Department Hit by Apparent Extortion Attack

Related: Double Extortion: Ransomware’s New Normal Combining Encryption with Data Theft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...