Hide Your RDP: Password Spray Leads to RansomHub Deployment
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology.
OPENCTI LABELS :
ransomware,data exfiltration,rdp,lateral movement,mimikatz,credential theft,ransomhub,password spray,living-off-the-land
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Hide Your RDP: Password Spray Leads to RansomHub Deployment