Gold Melody, an initial access broker (IAB), has managed to evade capture for seven years, despite being closely monitored by researchers. Their modus operandi remains remarkably consistent, as they continue to compromise organizations and lay the groundwork for subsequent ransomware attacks. Secureworks, a prominent cybersecurity firm, has identified five separate intrusions by the group, known as “Gold Melody” to Secureworks, as well as UNC961 to Mandiant and Prophet Spider to CrowdStrike. Thankfully, due in part to the predictable tactics, techniques, and procedures (TTPs) employed by Gold Melody, each attack was swiftly detected and thwarted.
Rafe Pilling, the director of threat research for Secureworks’ Counter Threat Unit, noted the group’s prolific and consistent nature. Despite facing this level of scrutiny, Gold Melody continues to operate brazenly, targeting organizations running unpatched, Internet-facing servers. The specific nature of the vulnerabilities exploited by the group is varied, ranging from critical bugs like CVE-2021-42237 in the Sitecore content management platform, to CVE-2017-5638 affecting Apache Struts, and even the notorious Log4Shell vulnerability. It is crucial to emphasize that all these vulnerabilities were publicly known and patched long before Gold Melody exploited them.
Upon gaining initial access, Gold Melody often establishes persistence through the use of Jakarta Server Pages (JSP) Web shells or other backdoors, such as the Perl-based IHS Back-Connect. The group then conducts reconnaissance within the victim’s environment, utilizing commands to gather information about the host machine, user, directories, and more. Additionally, Gold Melody attempts to harvest credentials, employing tools like the well-known pen-testing tool Mimikatz.
In addition to Mimikatz, the group utilizes a range of open source tools like Wget, which allows them to retrieve files from remote servers. Furthermore, they leverage underground cybercrime tools like “GOTROJ,” a Golang-based remote access Trojan (RAT) that aids in persistence, reconnaissance, and executing arbitrary commands on a host machine.
While Gold Melody’s activities alone may not instill fear, the true concern lies in their collaboration with ransomware actors. Once deep within the target’s environment, Gold Melody hands off control to a ransomware actor for a fee. CrowdStrike observed attacks in 2020 and 2021 that led to the deployment of Egregor and MountLocker ransomware. Similarly, Mandiant witnessed a compromise that facilitated the installation of CryptoDefense ransomware by Gold Melody’s partners. These ransomware attacks occurred anywhere from a couple of weeks to several months after Gold Melody completed its initial job.
It is crucial to address how companies can protect themselves from the threat posed by IABs like Gold Melody. Rafe Pilling highlights simple yet vital steps, such as patching Internet-facing systems and practicing effective vulnerability management. The early detection of these activities is crucial to prevent further damage. Pilling emphasizes the importance of broad visibility across endpoints, network connections, and other cloud solutions for early detection, enabling organizations to regain control before the situation becomes unmanageable.
In conclusion, Gold Melody continues to exploit unpatched vulnerabilities in Internet-facing servers, operating with a predictable set of tactics and techniques. However, their pattern of behavior makes them vulnerable to early detection and intervention. By taking proactive measures such as patching systems and implementing robust vulnerability management, organizations can mitigate the threat posed by groups like Gold Melody and prevent subsequent ransomware attacks. Vigilance, broad visibility, and a strong cyber-defense strategy are crucial to staying one step ahead of these persistent threat actors.