Hide Your RDP: Password Spray Leads to RansomHub Deployment
- Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access. Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan. Rclone was used to exfiltrate data to a remote server using SFTP. The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.