In a recent Medusa Ransomware Group attack, researchers infiltrated the attackers’ cloud storage containing exfiltrated victim data, where the attackers employed Rclone, a popular tool utilized by many ransomware groups for data exfiltration.
While cloud storage providers like mega.nz and mega.io are common destinations for ransomware exfiltration, Medusa opted for a less conventional choice: put.io, which was made possible by analyzing a configuration file left behind by the attackers, inadvertently exposing their storage preference.
An investigation revealed that a threat actor used rclone.exe, a tool for cloud storage management, to exfiltrate data from a datacenter (DC).
Rclone’s configuration file (conf.txt) found in the compromised system’s C:\Windows\AppCompat directory indicated that the actor used the put.io service, a cloud storage provider, as the destination for stolen data.
While the official API, designed for programmatic access, mandated the use of both a client ID and client secret for full access, the researchers found that the put.io application itself relied solely on a user token for authentication.
It means that any user who could gain possession of another user’s token would have complete control over the victim’s cloud storage on put.io.
Through the use of Burp Suite, a web proxy tool frequently employed in penetration testing, they were able to identify and intercept the user token that the application utilized for login by examining network traffic.
With this token in hand, the researchers could then replace their own token with the target user’s token (Medusa in this case), which effectively bypassed the intended multi-factor authentication process, highlighting a potential security vulnerability in the application logic.
A malicious actor might have taken advantage of the vulnerability to steal confidential information from the victim’s cloud storage account or even infect their files with malware.
They gained access to a victim’s account, possibly through a compromised email address, which enabled the attacker to view exfiltrated data, including that belonging to the Kansas City Area Transportation Authority (KCATA).
Then it initiated a data repatriation process, likely by creating and downloading compressed archives containing the stolen customer data.
To mitigate the Medusa Gang attack, they rapidly automated victim identification using a Python script, which allowed for swift data recovery initiation before the attackers could escalate damage.
Subsequently, a targeted deletion of sensitive victim files was executed. Proactive outreach to affected individuals commenced, offering comprehensive recovery assistance to minimize the incident’s impact.
Dark Atlas Squad created a Sigma rule named “DNS Query to Put.io” to identify potential suspicious activity within the network, which focuses on the Windows DNS client logs and searches for specific events.
It flags queries containing keywords related to Put.io’s upload and API functionalities (“api.put.io”, “upload.put.io”, “s111.put.io”). While legitimate Put.io usage could trigger this rule, the rule aims to detect potential data exfiltration attempts through the Put.io service.
.webp?w=1200&resize=1200,0&ssl=1&description=In a recent Medusa Ransomware Group attack, researchers infiltrated the attackers' cloud storage containing exfiltrated victim data.){kind=link}