This threat report describes a sophisticated multi-stage cyberattack leveraging exposed Remote Desktop Protocol (RDP) servers as the initial attack vector. The attackers employed a password spray technique to gain unauthorized access to vulnerable RDP endpoints. Password spraying involves systematically attempting commonly used passwords across many accounts to avoid account lockouts and detection. Once initial access was achieved, the adversaries used credential harvesting tools such as Mimikatz and Nirsoft utilities to extract plaintext credentials and hashes from compromised systems. This credential theft facilitated lateral movement within the network, allowing the attackers to escalate privileges and expand their foothold. The attackers utilized living-off-the-land (LotL) techniques, leveraging legitimate system tools and utilities to avoid detection. For network discovery, they used Advanced IP Scanner, enabling them to map the internal network and identify additional targets. Data exfiltration was conducted using Rclone, a legitimate cloud storage synchronization tool, configured to transfer stolen data via SFTP to attacker-controlled infrastructure. The final stage involved deploying RansomHub ransomware across the network, using SMB and remote services to propagate and encrypt files on multiple systems. The entire intrusion persisted for six days, culminating in widespread encryption of organizational data and ransom demands. This attack chain highlights the threat actor’s operational sophistication, combining brute-force initial access, credential theft, stealthy lateral movement, data exfiltration, and ransomware deployment. The use of common administrative tools and legitimate software complicates detection and response efforts. The absence of a CVSS score notwithstanding, the attack demonstrates significant risk due to its multi-vector approach and potential for severe operational disruption.

For European organizations, this threat poses substantial risks to confidentiality, integrity, and availability of critical data and systems. The initial compromise via exposed RDP servers is a common vulnerability in many enterprises, particularly those with remote work infrastructures. Successful exploitation can lead to widespread credential compromise, enabling attackers to move laterally and escalate privileges, thereby undermining network security comprehensively. Data exfiltration risks the exposure of sensitive personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. The deployment of RansomHub ransomware can cause significant operational downtime, financial losses due to ransom payments or recovery costs, and disruption of essential services. Given the attack duration of six days, organizations may experience prolonged exposure and damage before detection and remediation. The use of living-off-the-land techniques and legitimate tools increases the likelihood of evading traditional security controls, complicating incident response. European organizations with insufficiently hardened RDP configurations, weak password policies, or inadequate network segmentation are particularly vulnerable. The threat also underscores the importance of monitoring for anomalous use of administrative tools and network scanning activities.

1. Restrict RDP exposure: Disable direct internet-facing RDP access. Use VPNs or secure gateways with multi-factor authentication (MFA) to access RDP services. 2. Enforce strong password policies and account lockout thresholds to mitigate password spray attacks. Implement MFA on all remote access points. 3. Monitor and restrict use of credential dumping tools like Mimikatz by applying application whitelisting and endpoint detection and response (EDR) solutions capable of detecting such behaviors. 4. Employ network segmentation to limit lateral movement opportunities. Critical systems should be isolated with strict access controls. 5. Monitor network traffic for unusual scanning activity (e.g., Advanced IP Scanner) and data exfiltration attempts, especially via uncommon protocols or tools like Rclone. 6. Implement robust logging and continuous monitoring to detect living-off-the-land techniques and anomalous administrative tool usage. 7. Regularly update and patch systems to reduce vulnerabilities that could be exploited during lateral movement. 8. Conduct regular security awareness training focusing on credential security and recognizing signs of compromise. 9. Prepare and test incident response and ransomware recovery plans, including offline backups to ensure data restoration without paying ransom. 10. Use threat intelligence feeds to update detection rules with indicators of compromise (IOCs) such as the hashes and IP addresses provided in the report.