Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

Cyber Security Threat Summary:
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). The cybercrime group has been observed expanding its victimology footprint to strike retail, health care, energy, financial transactions, and high-tech organizations in North America, Northern Europe, and Western Asia as of mid-2020. Mandiant, in an analysis published in March 2023, said that ‘in multiple instances, UNC961 intrusion activity has preceded the deployment of Maze and Egregor ransomware from distinct follow-on actors.’ It further described the group as "resourceful in their opportunistic angle to initial access operations’ and noted it ‘employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using publicly available exploit code’” (The Hacker News, 2023).

Security Officer Comments:
As mentioned above, Gold Melody is known for exploiting known vulnerabilities to gain initial access to victim environments. This includes vulnerabilities in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), and much more. After initial access is obtained, the actors will deploy a series of different payloads including remote access trojans and tunneling tools such as GOTROJ (aka MUTEPUT), BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN, which can be further leveraged to execute arbitrary commands, collect and exfiltrate data, and establish connections to C2 infrastructure. Based on the intrusions and victimology observed so far, Gold Melody attacks seem to be opportunistic and financially motivated as the actors are selling their access to other threat actors.

Suggested Correction(s):
(Secure Works) GOLD MELODY uses a variety of tools and TTPs to compromise networks, maintain access, and conduct reconnaissance before selling access to cybercriminals. The number of organizations targeted by GOLD MELODY suggests that the group is a significant threat. Its reliance on exploiting vulnerabilities in unpatched internet-facing servers for access reinforces the importance of robust patch management.

Perimeter and endpoint monitoring is a reliable and effective approach for detecting access attempts and mitigating malicious activity once the group is in the network. In three of the five Secureworks IR engagements, alerts delivered by a defensive capability allowed for rapid remediation and likely prevented future ransomware deployment.

Gold Melody IOCs: