The FBI, the Cybersecurity and Infrastructure Security Agency, the Financial Crimes Enforcement Network, and the Department of the Treasury have issued a joint warning regarding the MedusaLocker ransomware operation's mounting exploitation of vulnerable Microsoft Remote Desktop Protocol configurations to infiltrate target networks since May, ZDNet reports.
Upon initial access, MedusaLocker has been distributing a PowerShell script to facilitate network-wide ransomware spread, as well as leveraging the SMB file-sharing protocol for attached storage detection, according to the advisory. MedusaLocker then proceeds to jumpstart the LanmanWorkstation service to enable activation of registry edits; kill security software processes; encrypt victim files using the AES-256 encryption algorithm; maintain persistence; and avert standard recovery methods, said the feds, who also noted MedusaLocker's ransomware-as-a-service model.
Organizations have been advised to adopt data recovery plans, network segmentation, and offline data backups, as well as perform regular data and password backups. The feds also urged access restrictions for critical data copies.
TechCrunch reports that U.S. conservative think tank The Heritage Foundation was working on addressing a cyberattack against its systems last week, but investigation into whether any of its data was compromised is still underway.
Nexperia had some of its servers confirmed to be compromised in a cyberattack last month following a report from Dutch broadcast firm RTL detailing attackers' claims of having exfiltrated hundreds of gigabytes of data from the Chinese-owned Dutch semiconductor manufacturer, according to Cybernews.
Iranian state-backed threat operation MuddyWater, also known as TA450, Mango Sandstorm, and Boggy Sandstorm, has leveraged the novel DarkBeatC2 command-and-control infrastructure tool as part of its latest attack campaign, The Hacker News reports.