This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology. Author: AlienVault
Related Tags:
T1069.001
living-off-the-land
T1110.003
RansomHub
T1003.006
T1059.005
T1003.001
T1087.001
T1087.002
Associated Indicators:
4775DFB24F85F5D776F538018A98CC6A9853A1840F5C00B7D0C54695F03A11D9
FFD09A5C27938D1F7424ED66D1474CFEB3DF72DAABDF10E09F161ED1FFD21271
25117DCB2D852DF15FE44C5757147E7038F289E6156B0F6AB86D02C0E97328CB
19138D3C197EE1E59756D1F4FC3FD66809F44C1B
6AC2D77631F775797CD0029E199A5DFE83F47B4C
B746C91E014205DB94F775BB6DB480387C9EBC20
02E6FF95949FDF341DAEE846820D40289AB65985
EBA5BFCA73C2754FBF93ED64FA224132
8E0B1F8390ACB832DBF3ABADEB7E5FD3