Hello! I’m Nick Hyatt, Director of Threat Intelligence here at Blackpoint Cyber and I’m here to recap some of the stories we tracked in the Adversary Pursuit Group over the last few months.

One of the big recurring themes we’ve been seeing in the landscape is the continuing one-two punch of vulnerability exploitation and credential-based attacks. Compromised accounts and vulnerable systems make it a field day for ransomware gangs.

Early in January, Unit 42 posted research around the Medusa ransomware gang, specifically their use of compromised accounts (either compromised themselves or purchased from initial access brokers), exploitation of public-facing vulnerable surfaces, and use of living-off-the-land (LotL) techniques once they’ve broken into environments. This behavior isn’t unique to Medusa, but this was a good example of how effective it is. The Blackpoint SOC sees threat actors using LotL techniques regularly. And as for how effective it is? In January alone, Medusa compromised 11 victims – that’s roughly one every three days!

Turning to other topics, Microsoft made headlines in mid-January when they released their research into the Midnight Blizzard intrusion into their environment. Midnight Blizzard, if you need a refresher, is a state-sponsored Russian group responsible for the SolarWinds attack. They’re a very advanced threat actor. What makes this topic so interesting is that their attack didn’t rely on a zero-day, or really that complex of an attack vector. Microsoft had a legacy non-production account in a tenant that didn’t have a complex password or multifactor authentication (MFA) enabled, allowing the threat actor to conduct a password spray attack and compromise the account. They were then able to pivot internally and read a set of targeted email accounts. The key takeaway here is that not every threat actor is going to burn an exploit. If there’s one thing to remember, it’s that criminals are lazy – why burn a zero-day exploit when you can just password spray and get in that way?

In both of the instances covered here, complex, unique passwords and MFA would have increased the barrier to entry for both attacks. While no security strategy is impenetrable, increasing the barrier to entry for attackers can reduce the potential for an attack. So, to summarize:

• Enable complex, unique passwords for everything. Password managers make this a breeze, and biometric authentication helps quite a bit to reduce attack surfaces as well!
• Enable MFA across the board. Multifactor authentication comes with its own problems, but reducing the ability for an attacker to gain access to accounts is what matters during incidents.

Check back with us next month when we break down more of the big stories for you!

Nick Hyatt, Director of Threat Intelligence 

Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.

Connect with Nick on LinkedIn.

• Learn about the ScreenConnect vulnerability here.
• Protect your customers with further best practices here.
• Learn about dark web’s role in credential-based attacks here.
• Tune in to a conversation about password spraying here.

• Medusa Ransomware Turning Your Files into Stone
• Midnight Blizzard: Guidance for responders on nation-state attack