“Medusa ransomware gang has infected more than 300 organizations in critical infrastructure sectors such as the medical, manufacturing and technology industries” is not the sort of news you want to hear. Nonetheless, facts are facts. And the facts are not that great for team blue.
Medusa gets in via some unpatched CVE, often your firewall or VPN, or sometimes your monitoring tools (e.g. SolarWinds).
Medusa uses “Living of the Land” techniques, meaning, it uses the same tools you do. The biggest ones are Windows-oriented (PowerShell, CMD, WMI).
It uses lateral traversal, walking sideways through the network via open ports with vulnerable services, such as:
21(FTP)22(SSH)23(Telnet)80(HTTP)115(SFTP)443(HTTPS)1433(SQL database)3050(Firebird database)3128(HTTP web proxy)3306(MySQL database)3389(RDP)
Since it is minimising the executable space, it is not caught by anti-virus or endpoint detection type tools. It also has counter-measures, e.g. installing a signed, vulnerable driver that can then disable the endpoint protection tool.
To add insult to injury, it uses security tools like Cloudflared to obtain a secure command and control channel.
CISA had this to say on immediate actions to take.
For more information on how to detect if you have an issue, or protect from the issue of Medusa, read the advisory.
The best enduring protection against threats like Medusa is Defence In Depth. And a Zero Trust product like Agilicus AnyX is the best means of reducing the lateral traversal risk, and, of protecting the inbound infection risk. Ask me how.