- Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period.
- Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access.
- Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan.
- Rclone was used to exfiltrate data to a remote server using SFTP.
- The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.
4467 links
