Gold Melody Access Broker Plays on Unpatched Servers Strings

A financially motivated threat actor uses known vulnerabilities, ordinary TTPs, and off-the-shelf tools to exploit the unprepared, highlighting the fact that many organizations still dont focus on the security basics.

A initial access broker (IAB) is still running rampant despite being tracked for seven years by researchers, and despite striking up a predictable tune when it comes to the tools and tactics used to compromise organizations (and pave the way for follow-on ransomware attacks).
Between July 2020 and July 2022,
Secureworks identified five separate intrusions
by the group it tracks as Gold Melody (aka UNC961 to Mandiant, and Prophet Spider to CrowdStrike). Each of the attacks was snuffed out early, thanks in part to the groups extensive yet predictable tactics, techniques, and procedures (TTPs), researchers have noted.
Yet to Rafe Pilling, director of threat research for Secureworks Counter Threat Unit, the thing that stood out is they are quite prolific, and consistent in their tradecraft.
At every step of the way, Gold Melody is driven by opportunism.
It begins with the targets themselves: organizations running unpatched, Internet-facing servers.
The precise nature of the vulnerability doesnt seem to matter much. In recent years, the group has exploited
CVE-2021-42237
— a critical 9.8-rated bug in the Sitecore content management platform;
CVE-2017-5638
— another critical 10 out of 10-rated flaw affecting Apache Struts;
the infamous Log4Shell vulnerability
, and more. Each of these vulnerabilities was publicly known and patched, often years before Gold Melody exploited them in delinquent IT environments.
Following initial intrusion, the group typically attempts to establish persistence with Jakarta Server Pages (JSP) Web shells. In one case in 2020, it used the Perl-based IHS Back-Connect backdoor.
Throughout the intrusion, Gold Melody performs reconnaissance on the victim environment, using Windows or Linux commands to display information about the host machine, user, directories, and more. Then it attempts to harvest credentials, for example, by using the Mimikatz pen-testing tool.
Besides Mimikatz, Gold Melody has a suite of other open source tools at its disposal — like Wget, for retrieving files from a remote server — as well as those from the cybercrime underground — like GOTROJ, a Golang-based remote access Trojan (RAT) useful in establishing persistence, performing reconnaissance, and executing arbitrary commands on a host machine.
Historically, once Gold Melody is thoroughly ensconced in its targets environment, it will
hand off control to a ransomware actor
, for a price.
In 2020 and 2021, CrowdStrike observed attacks
that led to the deployment of Egregor and MountLocker ransomware. Similarly,
Mandiant observed a compromise
that enabled Gold Melodys partners to install CryptoDefense ransomware. In all of these cases, the ransomware arrived in target networks anywhere from a couple of weeks to several months after Gold Melodys job was done.
So even if Gold Melody itself doesnt strike fear into the heart, its friends will. Thats why Pilling emphasizes the simple steps companies can take to snuff out the danger early, like patching the perimeter, your Internet facing systems — that vulnerability management piece is super important.
And, he adds, in these cases, were able to identify this activity at an early stage before it could go further. So having that kind of broad visibility across your endpoint state — across network connections, and other cloud solutions — is vital for early detection, before things get out of control.

Last News
▸ Eliminate excuses in testing app security. ◂ Discovered: 27/12/2024 Category: security	▸ Protection companies reevaluating strategies post targeted attacks. ◂ Discovered: 27/12/2024 Category: security	▸ VSS Monitoring Introduces Network Packet Broker Platforms. ◂ Discovered: 27/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Gold Melody Access Broker Plays on Unpatched Servers Strings