21 September 2023

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks


Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

A cybercrime outfit known as Gold Melody, Prophet Spider or UNC961 exploits known vulnerabilities in the internet-exposed servers to compromise enterprise networks.

The group, which has been around since at least 2017, acts as an initial access broker (IAB) selling access to the hacked networks to other cybercriminals. In some cases, the initial access was used by third parties to deploy ransomware, SecureWorks Counter Threat Unit (CTU) said.

Gold Melody relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.

The group’s arsenal includes a variety of tools such as Burp Suite Collabfiltrator, an extension used to exploit a vulnerable internet-facing server, IHS Back-Connect backdoor, the GotRoj RAT, the Responder tool used to harvest account details, Mimikatz, Wget, TxPortMap, WinExe, PAExec, PuTTY, 7-ZIP, and Auditunnel.

The gang has been observed exploiting known vulnerabilities in internet-exposed servers as initial access vectors, including Oracle E-Business and WebLogic flaws (CVE-2016-0545, CVE-2020-14882 and CVE-2020-14750), Sitecor (CVE-2021-42237), Apache Struts (CVE-2017-5638), Log4j (CVE-2021-4104), JBoss MQ Java Message Service (CVE-2017-7504), Citrix ShareFile (CVE-2021-22941).

The threat actor was also seen exploiting the Log4Shell vulnerability (CVE-2021-44228) to access a MobileIron Core server.

“Gold Melody conducts a considerable amount of scanning to understand a victim's environment,” the SecureWorks team said. “Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.”

The threat actor conducts scanning from the breached machine, although it was observed using the initially exploited vulnerability to conduct reconnaissance. In particular, in one intrusion the group executed reconnaissance commands via Apache Struts RCE vulnerability CVE-2017-5638, gathering system information by using the 'whoami' and 'ipconfig' commands.

“CTU analysis indicates that Gold Melody acts as a financially motivated IAB, selling access to other threat actors. The buyers subsequently monetize the access, likely through extortion via ransomware deployment,” the company said.

Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024