MSTIC (Microsoft Threat Intelligence Center) has shared details about the ongoing activity of a group they call Gallium. The group, which has been active through 2018 to mid-2019, targets unpatched web servers and internet-facing services using publicly available exploits and has been known to target vulnerabilities in WildFly/JBoss. They are attacked by using common techniques and tools like Mimikatz to obtain credentials. These credentials allow for lateral movement across the target network. In other words, the hacker group uses common versions of malware and publicly available toolkits with small modifications.
A variety of tools for hacking
MSTIC’s researches show that Gallium’s exploitation of internet-facing services indicates it’s likely they use open-source research and network scanning tools to identify likely targets. Based on these analyst assessments, researchers are definitive about cyber attacks employed by Gallium.
The hacker group modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This is the typical behavior of Gallium actors across several operational areas. According to MSTIC, Gallium is still active; however, activity levels have dropped when compared to what was previously observed.