Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology.

Pulse ID: 6862dc349ae605bef0998ced
Pulse Link: https://otx.alienvault.com/pulse/6862dc349ae605bef0998ced
Pulse Author: AlienVault
Created: 2025-06-30 18:49:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdvancedIPScanner #CredentialHarvesting #CyberAttack #CyberSecurity #Encryption #InfoSec #OTX #OpenThreatExchange #Password #RAT #RDP #RansomWare #Rclone #SMB #Word #bot #AlienVault

The Stark Truth Behind the Resurgence of Russia’s Fin7

https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

#StarkIndustriesSolutions #Russia'sWaronUkraine #ProtectedPDFViewer #Ne'er-Do-WellNews #AdvancedIPScanner #BastionSecure #CombiSecurity #spearphishing #typosquatting #Malwarebytes #WebFraud2.0 #SublimeText #ZachEdwards #Ransomware #Blackberry #SilentPush #Bitwarden #microsoft #Notepad++ #RestProxy #AutoDesk #eSentire #AnyDesk #Node.js #pgAdmin #AIMP

The Stark Truth Behind the Resurgence of Russia’s Fin7 - The Russia-based cybercrime group dubbed “Fin7,” known for phishing and malware at... https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/ #starkindustriessolutions #russiaswaronukraine #protectedpdfviewer #advancedipscanner #neer-do-wellnews #bastionsecure #combisecurity #spearphishing #typosquatting #malwarebytes #webfraud2.0 #sublimetext #zachedwards #ransomware #blackberry #7-zip

Huntress takes us on a step-by-step adventure to redownload a malicious file purporting to be Advanced IP Scanner from Google Ad malvertising. Other than the initial malicious website, no other IOC. 🔗 https://www.huntress.com/blog/analyzing-a-malicious-advanced-ip-scanner-google-ad-redirection

#AdvancedIPScanner #malvertising #threatintel