GOLD MELODY acts as initial access broker, says Secureworks report
In a recent analysis by Secureworks Counter Threat Unit (CTU), the cyber threat group known as GOLD MELODY has been identified as an initial access broker (IAB) that sells access to compromised organisations to other cybercriminals for exploitation. Active since at least 2017, the group has been compromising organisations by exploiting vulnerabilities in unpatched internet-facing servers. "This financially motivated group has been active since at least 2017, compromising organisations by exploiting vulnerabilities in unpatched internet-facing servers," the CTU report states. "The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption."
GOLD MELODY has been linked to five intrusions that Secureworks incident responders handled between July 2020 and July 2022. "In all these incidents, network defenders detected and prevented malicious activity before GOLD MELODY or associated threat actors could achieve their objectives," according to CTU researchers. The group uses a range of tools, including web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) to facilitate its activities once inside a compromised environment.
The group's modus operandi involves exploiting internet-facing vulnerabilities as initial access vectors (IAVs). "All of the flaws had available patches before they were exploited by GOLD MELODY," the CTU report notes. The group also seeks to establish persistence in the compromised network. In one incident, "access through this web shell enabled the threat actors to return to the server on numerous occasions to run reconnaissance commands."
GOLD MELODY conducts extensive scanning to understand a victim's environment and uses multiple techniques to harvest credentials. "While the activity observed in this intrusion constituted the most comprehensive attempt to harvest credentials, the same or similar techniques were employed in the other intrusions," the report adds.
The group's attempts at defence evasion have so far been unsuccessful. "In the five intrusions investigated by Secureworks incident responders, early detection of the malicious activity appeared to prevent the group from achieving its objectives," the CTU analysis concludes.
The report emphasises the importance of robust patch management and perimeter and endpoint monitoring as effective approaches for detecting access attempts and mitigating malicious activity. "In three of the five Secureworks IR engagements, alerts delivered by a defensive capability allowed for rapid remediation and likely prevented future ransomware deployment," the report states.
The findings underscore the evolving threat landscape where cybercriminal groups like GOLD MELODY act as brokers, selling access to compromised networks to other threat actors who then deploy ransomware or conduct other forms of cyber exploitation.