ShadowSyndicate, initially identified in 2022, has refined its infrastructure management by implementing a server transition method. This advanced technique allows the cybercrime group to rotate SSH keys across multiple servers, complicating efforts by security teams to monitor their activities.
Evolution of Cybercriminal Tactics
The group’s initial notoriety arose from its use of a singular SSH fingerprint across many malicious servers, creating a traceable pattern that security researchers could follow. However, this new method marks a significant evolution in how ShadowSyndicate manages its attack infrastructure, making tracking more challenging for cybersecurity experts.
By reusing previously employed servers and rotating SSH keys, ShadowSyndicate makes its operations seem legitimate, as if servers have been transferred to new users. Despite these sophisticated techniques, occasional operational errors have enabled security teams to identify these connections.
Uncovering New Infrastructure
Group-IB analysts have identified two additional SSH fingerprints that follow similar patterns to the original. These findings follow earlier reports from Intrinsec researchers, prompting further investigation into ShadowSyndicate’s shifting tactics. This newly uncovered infrastructure connects to at least 20 servers acting as command-and-control hubs for various attack frameworks.
ShadowSyndicate employs familiar toolkits such as Cobalt Strike, MetaSploit, and Havoc, among others, to maintain persistent access to compromised networks and deploy ransomware payloads. Each SSH fingerprint discovered forms distinct clusters of servers with similar characteristics, linking to several notorious ransomware groups like Cl0p and ALPHV/BlackCat.
Implications for Security Practices
The consistent use of specific hosting providers and autonomous system numbers across all server clusters suggests that ShadowSyndicate may function as an Initial Access Broker or offer bulletproof hosting services to other cybercriminals. This consistency creates predictable patterns that can aid in infrastructure correlation and proactive detection efforts.
Organizations are advised to integrate indicators of compromise into their threat intelligence platforms. Monitoring IP addresses within frequently used autonomous systems and watching for patterns such as repeated multifactor authentication failures or unusual login locations can help detect potential compromises.
Stay informed by following us on Google News, LinkedIn, and X for more instant updates and set CSN as a preferred source on Google.
