The Medusa Ransomware Group experienced significant operational security (OPSEC) failure, which was primarily due to the group’s use of Rclone, a widely utilized tool for data exfiltration, to store stolen data in the cloud storage service put.io.
The key issue arose from a misconfigured Rclone configuration file, which contained access tokens and other credentials, inadvertently allowing unauthorized access to their storage.
The Medusa group exploited this oversight to infiltrate the Medusa group’s cloud storage, gaining access to a treasure trove of stolen data.
Upon accessing the cloud storage, the investigators found that the Medusa group had stored various files, including sensitive data from their victims, such as the Kansas City Area Transportation Authority, allowing them to not only recover but also delete critical files, mitigating potential harm to the victims.
An attacker used Rclone, a tool for cloud storage management, to steal data from a compromised system.
Rclone’s configuration file (conf.txt) in C:WindowsAppCompat indicated the attacker used the put.io service to exfiltrate data, suggesting the attacker leveraged a pre-configured cloud storage account for data theft, which highlights the importance of securing cloud storage credentials and monitoring for unauthorized access.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The exposure of these operational missteps underscores the importance of secure configuration and vigilant monitoring of tools and services used in cyber operations.
The infiltration into the Medusa group’s storage also provided valuable intelligence on the group’s operations, methods, and targets, which has broader implications for cybersecurity, particularly regarding the importance of secure cloud storage practices and the risks of leaving sensitive information in easily accessible locations.
put.io API documentation
The development of a Sigma rule, a type of detection rule for Security Information and Event Management (SIEM) systems, to identify similar incidents involving the use of put.io for data exfiltration.
To prevent similar OPSEC failures from being exploited in the future, this rule attempts to improve cybersecurity teams’ detection and response capabilities.
The OPSEC failure of the Medusa Ransomware Group emphasizes how important it is to have strong security procedures, particularly when managing stolen data and utilizing cloud services.
Dark Atlas Squad capitalized on a security misconfiguration (OPSEC weakness) in the Medusa Ransomware Group’s attack, allowing them to infiltrate their cloud storage for a limited time and examine the data they had been exfiltrating from their victims.
The investigation revealed that Medusa utilized Rclone, a popular data exfiltration tool commonly employed by ransomware groups, to steal data from compromised systems.
While Rclone boasts support for over 70 cloud storage providers, the Medusa Ransomware Group opted for the less-common put.io service to stash their ill-gotten gains.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access