NCC Group’s Threat Intelligence team has identified a cluster of activities with a relatively constant modus operandi pointing to a new threat actor they track as SnapMC. The activity has yet to be linked to any known threat actors.
SnapMC is a hacker organization that aims to gain initial access to victim networks by exploiting various vulnerabilities in webserver and VPN apps. They generally infiltrate victim networks in less than 30 minutes.
The gang then exfiltrates victim information for extortion purposes but doesn’t employ ransomware, or other methods, to impair the victim’s activities.
SnapMC threatens to expose stolen data online until a ransom is paid, gives victims a list of stolen data as proof of intrusion, and even follows through on the threats.
The attacker looks for numerous vulnerabilities in web server programs and VPNs that would allow it to get control of the target environments. According to NCC Group, the gang exploited a remote code execution vulnerability in Telerik UI for ASPX.NET and SQL injection vulnerabilities.
The attacker then runs a payload to install a reverse shell for remote access after gaining initial access. SnapMC appears to be leveraging a publicly accessible proof-of-concept attack for Telerik, based on the payloads seen.
The malicious actors also conduct reconnaissance with PowerShell scripts and have attempted to elevate privileges in the past. They also use a variety of data harvesting and exfiltration techniques.
Because SnapMC uses known vulnerabilities to gain access, NCC Group recommends that businesses keep all their web-facing assets up to date. Doing so will help in mitigating the attack. Gaining visibility into susceptible software and putting in place effective detection and response systems can also help deter attackers.
NCC group further said that ransomware attackers should gain persistence and become domain administrators before stealing data and installing ransomware. In the data breach extortion campaigns, most activities may be automated and require less time while still having a substantial impact.