Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
In June 2024, ReliaQuest was made aware of a series of detections from an EDR tool by one of our customers. These detections indicated the successful deployment of the Medusa ransomware, resulting in encryption across one of the customer’s unmonitored sub-domains. Our investigation yielded indicators of intrusion and intelligence about the adversary’s TTPs. The North America-based organization had undergone rapid growth due to multiple acquisitions; as a result, the company struggled with gaps in visibility across its environment. These issues ultimately hindered its ability to effectively mitigate and respond to the attack.
This report details the attack lifecycle, beginning with initial access via a compromised customer account on a remote VPN, followed by an NTDS dump on a domain controller to facilitate lateral movement, and culminating in the installation of a vulnerable driver to bypass EDR tools and deploy an encryptor. We examine the legitimate tools used by Medusa and provide actionable prevention and mitigation strategies to help organizations defend against such ransomware threats. By implementing the practical recommendations outlined in this report, organizations can significantly enhance their defensive measures and reduce the impact of similar attacks.
Security researchers first identified the RaaS operator Medusa in late 2022 (not to be confused with the similarly-named MedusaLocker). The group primarily spreads its ransomware by exploiting unpatched vulnerabilities in public-facing assets. Medusa affiliates also purchase system credentials from initial access brokers (IABs) and hijack legitimate accounts to infiltrate environments. The threat group uses LoTL techniques to evade defenses and blend in with normal system activity, suggesting the operators are technically adept and highly experienced.
Since the introduction of its data leak site in early 2023, Medusa has named over 200 victims. It primarily targets organizations in the technology, education, manufacturing, and healthcare sectors within the US. The group’s approach is largely opportunistic, exploiting the opportunities created by organizations without multi-factor authentication (MFA). Medusa is likely financially motivated, targeting critical systems to disrupt essential operations and increase the likelihood that organizations will pay the ransom to regain functionality.
The impacted organization’s business model hinges on supplying its customers with infrastructure designed to ensure minimal downtime. As a result, this has led to a “flat” network architecture with fragmented domains and devices, making patching and maintenance challenging. The organization faced difficulties in deploying a consistent set of tools and controls across its network because several components had reached their end-of-life. This situation created visibility gaps and heightened the complexity of mitigating the attack.
ReliaQuest’s collaboration with the impacted organization and its digital forensics and incident response (DFIR) partner indicated that the adversary may have gained initial access via the organization’s VPN. In early April 2024, an anomalous session from the Russian IP address 178.208.87.250 used a domain account belonging to a customer of the impacted organization. This session was assigned an internal IP within a small legacy subnet used for customer VPN access. We discovered that the threat actor established follow-up sessions over subsequent weeks but could not identify all the ways in which the attacker abused this access due to our limited visibility. Consequently, we could not determine whether access to this account resulted from credentials obtained through external attacks like brute forcing.
Mitigation: Robust Security Controls for External Accounts
External accounts like VPN or cloud (e.g. Azure) are frequent targets of attacks like brute forcing, phishing, or social engineering. To reduce the risk of compromise, these accounts should always use security controls like MFA or device authentication. External services should also undergo regular audits to ensure only expected accounts are enabled for external access. Our team has observed cases where temporary accounts (created by vendors or customers), default accounts, and accounts meant to be disabled are sometimes overlooked, leading to unauthorized access. These external portals should use applicable controls to reduce their attack surface, such as disabling WebVPN access if it is not needed, or geoblocking unauthorized locations. Additionally, management console portals and access (e.g., SSH) should also be limited to internal access only.
Further investigation revealed that the threat actor initiated a VPN session at the beginning of April. Within an hour of establishing the session, the assigned VPN address was observed with firewall traffic resembling port scanning. This indicates an attempt from the threat actor to gain insight into the environment and accessible resources. Security researchers have reported that Medusa uses tools like Netscan for discovery actions, which offer features like pinging, port scanning, network share discovery, and retrieval of information from network devices. Overall, this traffic was observed over several hours and targeted multiple different destinations.
Mitigation: Comprehensive Network Based Controls
Organizations should adopt a preventive strategy for external accounts connecting to their environment, especially in the case of VPN-enabled accounts. Implementing network segmentation can limit the resources accessible to VPN-connected devices and appropriately segment critical systems and sensitive data as needed. Authorize only a subset of accounts and/or devices to communicate with critical systems. This should limit some of the information retrieved through discovery actions and reduce the likelihood of follow-up actions such as lateral movement.
The investigation also identified two attempts to harvest credentials within a day of the threat actor establishing their first VPN session in early April. The first attempt involved LSASS dumping, which originated from a VPN-assigned internal IP address. Their second attempt involved NTDS dumping on a domain controller via PowerShell on the same day.
powershell.exe ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' qq
The command creates a full snapshot of the Active Directory (AD) database and copies the SYSTEM and SECURITY registry hives to the TEMP directory. The contained password hashes can later be extracted by the threat actor. Through our available visibility, our team did not observe additional activity following the early discovery and credential dumping in April. However, in May, there was an additional LSASS dump via comsvcs.dll.
%COMSPEC% /Q /c CMD.EXe /Q /c for /f "tokens ("tasklist /fi "Imagename eq lsass.exe" | find "lsass*) do rundll32.exe B I U C: \windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\rMx3.sav full
This command contains some syntax errors, possibly due to the method used to extract this data. However, from the readable portions we can identify an attempt to query the running processes for LSASS and dumping of in-memory credentials via comsvcs.dll.
Credential dumping of the Active Directory (AD) database and in-memory credentials may indicate an effort to capture all types of credentials. These attempts might also accomplish different goals at the time of execution. NTDS dumping would provide a comprehensive snapshot of the AD database that the threat actor could reference later. On the other hand, LSASS dumping can provide some plaintext passwords, NTLM hashes, or Kerberos tickets for quick access and use. Additionally, the LSASS dump could also potentially contain credentials for some accounts not found in the AD database snapshot.
Our team also believes that due to the impacted organization using different fragmented domains, this influenced the threat actor to attempt dumping credentials again after a month.
From our available visibility, early activity after initial access was limited to discovery and credential gathering actions. A change in behavior was not seen until June, which might indicate that an initial access broker had gained access to the environment and then sold it to the Medusa ransomware group—or an affiliate linked to the group—who conducted further malicious activity. This is congruent with intelligence on the group, but this could not be confirmed due to the limited data points available prior to the activity in June.
Mitigation: Endpoint and LSASS Protection
Critical systems should be equipped with EDR tool monitoring and any additional security measures to identify and block attempts to dump credentials. EDR software has built-in policies and watchlists that can mitigate these attempts, and these can be further enhanced with custom policies. Other options like Credential Guard and LSA protection should also be considered to further enhance security controls. These options provide some mitigations in attempt to stop code injection and unauthorized access to sensitive information.
Although the limited logging prevented a mapping of complete attack path, we confirmed lateral movement via type 10 logons (RDP) leveraging a compromised admin account at the beginning of June. The RDP connection sourced from a domain controller and leveraged an account with the same name but from a different domain, suggesting possible domain hopping. Only RDP was observed for lateral movement, and the threat actor used the same accounts across different domains.
Within a few minutes of the RDP connection, the threat actor installed AnyDesk on the target server.
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
Our team believes this to be a redundant form of command-and-control (C2) infrastructure, aimed at maintaining access as the threat actor positioned themselves for encryption. This conclusion was drawn after reviewing exported Windows System logs, which showed service installations dating back to mid-May for the SimpleHelp RMM tool on the same host.
C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\restricted\SimpleService.exe
Network segmentation and limiting connections to critical systems from a subset of hosts should reduce attack surface for both the discovery and lateral movement stages of incidents. Not all accounts should have RDP access, and this functionality should be disabled if not operationally necessary. For instance, service accounts should be configured to disallow interactive logons and can be strong candidates for removing RDP capabilities.
Mitigation: Least Privilege and Application Allow Lists
Organizations should apply the principle of least privilege to restrict regular users from installing unauthorized applications. Allow-list solutions like AppLocker can further limit software installations to approved applications only, enabling enhanced monitoring on non-approved software.
On the same day as the AnyDesk installation, we observed the installation of the service “PDQInventory-Scanner-1” on multiple hosts using a compromised admin account. PDQ is a commercial tool for deployment and inventory management. When abused, it allows threat actors to efficiently push out and execute scripts or payloads on multiple target computers. Multiple security researchers have linked the tool to the Medusa ransomware group.
Within an hour of the PDQInventory installations, we detected ransomware deployment activity. This included PDQDeploy logons to target hosts and blocked antivirus detections for the file “gaze.exe,” which had a Medusa-related signature.
We subsequently detected the file “igJTf.sys” in the path “C:\WINDOWS\TEMP\,” indicating the use of a malicious driver. The threat actor highly likely dropped this file to install as a kernel-level driver, aiming to unhook the antivirus software installed across the domain. This assessment is supported by the subsequent successful encryptor deployment on those hosts. We recently observed a similar attack path in a double extortion case.
The ransom note “!!!READ_ME_MEDUSA!!!.txt” was written on impacted hosts.
Mitigation: Disaster Prevention and Recovery Playbooks
Organizations should adopt proactive measures to ensure operational continuity in the event of impact. This includes maintaining data backups (Cold, Warm, Hot sites), having response playbooks, and establishing solid communication plans to ensure teams are prepared. Additionally, hosts with critical data should employ robust security measures, such as EDR protection and driver management, to limit attack surfaces.
Our investigation into the Medusa ransomware attack revealed a series of common TTPs. Initial access was gained via a compromised VPN account, credential dumping was performed via PowerShell and comsvcs.dll, and lateral movement was executed using RDP. Although these techniques are not particularly novel, they underscore the importance of maintaining robust cybersecurity defenses and configurations.
In this instance, proper VPN configuration, enhanced endpoint visibility, and automated response mechanisms could have significantly mitigated the impact of the attack. For companies that grow through mergers and acquisitions or operate in shared infrastructure environments, visibility into all assets and networks is especially crucial. Enhanced visibility helps identify potential vulnerabilities and ensures that security measures are consistently applied across newly integrated or shared systems.
By implementing the appropriate security measures and ensuring comprehensive monitoring, organizations can detect and thwart straightforward TTPs like those used by Medusa. The steps outlined in this report provide actionable recommendations that can help prevent similar attacks in the future. Ensuring that defenses are in place and properly configured can minimize or even prevent the impact of such ransomware attacks, safeguarding your organization from significant harm.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.