NCC Group researchers have been seeing an increase in extortion emails from a group dubbed SnapMC. The name SnapMC is derived from the actor’s rapid attacks, generally completed in under 30 minutes, and the exfiltration tool they use called mc.exe. The group gives victims 24 hours to get in contact with them and 72 hours to negotiate, but SnapMC has been putting pressure on the victims before the time is up. If the victim does not contact the group within the given timeframe, the actor threatens to (or immediately does) publish the stolen data and informs the victim’s customers and media outlets.
SnapMC scans webserver applications and Virtual Private Networks (VPNs) for multiple vulnerabilities and has been observed exploiting a remote code execution flaw in Telerik UI for ASPX.NET as well as SQL injection bugs.
After achieving initial access, a payload is executed that installs a reverse shell for remote connectivity. While it seems the threat actor does not usually perform privilege escalation, NCC Group did find one case where SnapMC attempted to escalate privileges by running a handful of PowerShell scripts. They also deploy various tools for data harvesting and exfiltration, such as 7zip and Invoke-SQLcmd scripts.
Analyst Notes
All web-facing assets should be kept up to date so these vulnerabilities get patched. Regularly performing vulnerability scanning allows organizations to see where potential access can be achieved and what needs to be fixed immediately. Having detection and incident response mechanisms, such as Binary Defense’s Managed Detection & Response, greatly increases the chance of mitigating severe impact to organizations.
https://research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/
https://www.securityweek.com/extortionist-hacker-group-snapmc-breaches-networks-under-30-minutes
