Don’t throw a hissy fit; defend against Medusa

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access gained by exploiting a vulnerable application hosted by an externally facing web server. “Initial access was gained by exploiting an external facing web server.”
• [T1047] Windows Management Instrumentation – WMI used to remotely execute a cmd.exe process. “Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process.”
• [T1059.001] PowerShell – PowerShell was leveraged to conduct various malicious activity. “PowerShell was leveraged by the threat actor to conduct various malicious activity.”
• [T1072] Software Deployment Tools – PDQ Deploy installed to deploy LAdHW.sys. “PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services.”
• [T1569.002] System Services: Service Execution – PsExec installed as a service. “PsExec was installed on multiple servers.”
• [T1136.0012] Create Account: Domain Account – A new user “admin” created to maintain access. “Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server.”
• [T1505.003] Server Software Component: Web Shell – Web shells used to maintain access. “Web shells were uploaded to establish persistent access and execute commands remotely.”
• [T1027.002] Obfuscated Files or Information: Software Packing – Sophos.exe packed with Themida. “Sophos.exe, which was packed with Themida.”
• [T1070.004] Indicator Removal: File Deletion – Malicious executables deleted after use. “many of these executables such as JAVA64.exe and re.exe were deleted after use.”
• [T1070.009] Indicator Removal: Clear Persistence – Malicious artifacts removed to cover tracks. “Malicious executables were deleted after use.”
• [T1027] Obfuscated Files or Information – Base64 encoded PowerShell commands used to download executables. “Base64 encoded PowerShell commands were utilised to download malicious executables.”
• [T1112] Modify Registry – WDigest key modified to enable credential dumping. “The WDigest registry key was modified to enable credential dumping activity.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Antivirus disabled. “Antivirus services were disabled.”
• [T1562.004] Impair Defenses: Disable or Modify System Firewall – Firewall rules deleted. “Firewall rules were deleted.”
• [T1003.001] OS Credential Dumping: LSASS Memory – Mimikatz used; LSASS dump. “Mimikatz was utilised. An LSASS memory dump was created.”
• [T1003.003] OS Credential Dumping: NTDS – NTDS extraction using ntdsutil. “NTDS: ntdsutil.exe was used to extract the NTDS.”
• [T1482] Domain Trust Discovery – nltest used to enumerate domain trusts. “Nltest was used to enumerate domain trusts.”
• [T1069.002] Domain Groups Discovery – Net used to enumerate domain groups. “Net was used to enumerate domain groups.”
• [T1016] System Network Configuration Discovery – Ipconfig used to learn network config. “Ipconfig was used to learn about network configurations.”
• [T1007] System Service Discovery – Tasklist used to display running processes. “Tasklist was used to display running processes.”
• [T1018] Remote System Discovery – Net used to enumerate domain controllers. “Net was used to enumerate domain controllers.”
• [T1033] System Owner/User Discovery – Whoami and related queries. “Whoami was used to establish which user the threat actor was running as.”
• [T1082] System Information Discovery – WMIC used to gather OS name/architecture. “Wmic was used to gather the name of the operating system and its architecture.”
• [T1021.001] Remote Services: Remote Desktop Protocol – RDP used to move laterally. “Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network.”
• [T1105] Ingress Tool Transfer – PowerShell downloads/executions via scripts. “PowerShell commands were used to download and execute malicious files.”
• [T1219] Remote Access Software – JWrapper and AnyDesk used for remote access. “JWrapper Remote Access application was installed… AnyDesk was also utilised.”
• [T1572] Protocol Tunnelling – Reverse tunnel established for C2. “A reverse tunnel allowed the threat actor to establish a new connection.”
• [TA0010] Exfiltration – Data exfiltrated and leaked on Medusa leak site. “Data was successfully exfiltrated… published to the Medusa leak site.”
• [T1486] Data Encrypted for Impact – Ransomware encrypted files. “Medusa ransomware… files were encrypted, and .MEDUSA was appended.”
• [T1490] Inhibit System Recovery – Backups and VMs deleted to inhibit recovery. “VMs from the Hyper-V storage as well as local and cloud backups were deleted.”