Full Report
In 2024, UNC2165 exploited a victim's environment by a UNC1543 FAKEUPDATES infection to gain initial access. They deployed their Python tunneler, VIPERTUNNEL, for persistent access and used utility scripts for reconnaissance and disabling anti-virus protection. UNC2165 then ac...
Analysis Summary
# Threat Actor: UNC2165
## Attribution & Identity
Actor Name: UNC2165
Known Associations: Exploited activities linked to a **UNC1543 FAKEUPDATES** infection for initial access.
## Activity Summary
In 2024, UNC2165 conducted an operation targeting hybrid environments, culminating in both data exfiltration and ransomware deployment. The intrusion began with an initial compromise via the UNC1543 FAKEUPDATES infection vector. Following access, the actor established persistence, conducted reconnaissance, disabled security controls, exfiltrated sensitive data from Azure blob storage, and ultimately deployed the RANSOMHUB ransomware across both their on-premises and Azure cloud environments.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploited a **FAKEUPDATES** infection (implying supply chain or trusted software compromise).
- **Persistence:** Deployed the custom Python tunneler **VIPERTUNNEL**.
- **Defense Evasion:** Used utility scripts to **disable anti-virus protection**.
- **Discovery/Reconnaissance:** Utilized utility scripts for internal environment mapping.
- **Lateral Movement:** Performed **cloud to on-prem lateral movement**.
- **Command and Control (C2):** Established C2 using the **VIPERTUNNEL** mechanism.
- **Impact:** Deployed **RANSOMHUB ransomware** via GPOs on Windows systems and Azure run commands on Linux systems.
- **Exfiltration:** Accessed and exfiltrated sensitive data from **Azure Storage** to attacker-controlled cloud servers.
## Targeting
- Sectors: Not explicitly detailed, but targeting hybrid environments (cloud and on-prem) is the primary focus.
- Geography: Not specified.
- Victims: Undisclosed victim(s) utilizing hybrid infrastructure (Azure and on-premises networks).
## Tools & Infrastructure
- Malware families used: **VIPERTUNNEL** (Python tunneler), **RANSOMHUB** (Ransomware).
- Infrastructure: Attacker-controlled cloud servers for data exfiltration.
- Other Utilities: Utility scripts for reconnaissance and AV disabling; Group Policy Objects (GPOs) for deployment.
## Implications
UNC2165 poses a significant threat to organizations utilizing hybrid cloud architectures. Their TTPs indicate a sophisticated operation capable of bridging cloud environments (Azure) with traditional on-premises networks, leading to complete operational disruption via ransomware, compounded by the risk of data theft and extortion. The activity observed suggests a high-impact, financially or disruptively motivated threat actor.
## Mitigations
- Monitor for unauthorized deployment of scheduled tasks via GPOs, particularly those executing unknown binaries.
- Implement robust controls and heightened monitoring around Azure Storage access, focusing on unusual data egress patterns.
- Harden systems against known initial access vectors associated with UNC1543/FAKEUPDATES.
- Ensure comprehensive Anti-Virus/EDR coverage across both cloud-hosted and on-premises Linux and Windows assets, and monitor for unexpected AV disabling attempts.
- Investigate established persistence mechanisms like unknown Python tunnels (VIPERTUNNEL).