The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency recently issued a joint advisory warning that two-factor authentication needed to be activated for all webmail and VPN accounts as a matter of urgency. That public alert came in the wake of ongoing attacks using Medusa malware, a dangerous ransomware-as-a-service platform enabling cyber criminals to carry out highly effective campaigns against enterprises. Now, security researchers have uncovered a vital component of those attacks, used to disable anti-malware protections. Despite this new revelation, which hopefully may help in the fight against the Medusa threat, enterprises are advised to stick to the FBI 2FA advice when it comes to webmail and VPN services.
FBI And CISA Issue Medusa Ransomware Industry Joint Alert
Medusa is a well-known, and seemingly commonly deployed, ransomware-as-a-service provider. Ransomware as a what? Sadly, just like many other criminal activities such as phishing attacks and infostealer campaigns, ransomware threats can effectively be rented out to anyone who is willing to pay the fee. No great technical skill is required, no genius coder to recruit, and no criminal masterminds are needed. Just the money and malicious will to attack innocent parties for profit.
The FBI warning came in response to more than 300 victims falling to Medusa attacks since they started in 2021. FBI investigations in recent months into ongoing attacks revealed a “dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.” All of which led to the public cybersecurity advisory AA25-071A, which urged all organizations to require two-factor authentication for all services where possible, in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
Commercial security researchers have now uncovered how Medusa campaigns manage to evade your anti-malware systems.
New Report Carries On Where The FBI Left Off
Elastic Security Labs has been monitoring a financially motivated threat campaign that deployed the Medusa ransomware in question, specifically using a heartcrypt-packed loader for these attacks. “This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named Abyssworker,” Cyril François, a senior malware research engineer with the Elastic Security Labs Team, said “which it installs on the victim machine and then uses to target and silence different endpoint detection and response vendors.” The methodology is what has become known as a bring-your-own-vulnerable driver attack that is designed to disable security protections. While being too technical for a news story such as this, I would recommend all enterprise defenders read the Elastic Security labs analysis and implement mitigations accordingly. All the time, of course, while still following the advice from that FBI warning.
