Conti and Evil Corp linked to Cisco data breach

A new report has connected the data breach affecting Cisco Talos networks in May with an Evil Corp-affiliate group.

Threat Response Unit (TRU) of the pure-play managed detection and response (MDR) service provider eSentires discovered that the IT infrastructure used to attack Cisco was also deployed in an attempted compromise of one of its clients in April:

TRU believes that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack.

According to security firm Mandiant the threat actor known as mx1r would be a member of an Evil Corp affiliate group called UNC2165.

The MDR advisory clarified that while the tactics, techniques, and procedures (TTPs) of the attack against the workforce management corporation matched those of Evil Corp, the infrastructure used matched that of a Conti ransomware affiliate, which has been seen deploying both Hive and Yanluowang ransomware payloads:

Looking at various technical details of the malicious infrastructure leveraged, TRU discovered a handful of additional instances of Cobalt Strike infrastructure.

TRU tracks this infrastructure cluster as HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a reputation for attacking critical targets including hospitals, energy companies and IT companies.

According to eSentire's report, HiveStrike also bears some similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti:

It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp.

The other day, the world's largest distributor of books to libraries worldwide Baker & Taylor confirmed it's still working on restoring systems after being hit by ransomware more than a week ago.