Researchers Hacked into Medusa Ransomware Group’s Cloud Storage

The Medusa Ransomware Personnel experienced well-known operational security (OPSEC) failure, which changed into essentially this ability that of the workers’s employ of Rclone, a widely utilized utility for recordsdata exfiltration, to retailer stolen recordsdata in the cloud storage carrier keep.io.

The important thing mission arose from a misconfigured Rclone configuration file, which contained procure admission to tokens and other credentials, inadvertently allowing unauthorized procure admission to to their storage.

The Medusa workers exploited this oversight to infiltrate the Medusa workers’s cloud storage, having procure admission to to a like trove of stolen recordsdata.

Upon accessing the cloud storage, the investigators stumbled on that the Medusa workers had saved a range of recordsdata, alongside side sensitive recordsdata from their victims, similar to the Kansas City Place Transportation Authority, allowing them to now not easiest procure greater but furthermore delete severe recordsdata, mitigating possible damage to the victims.

An attacker aged Rclone, a utility for cloud storage administration, to steal recordsdata from a compromised draw.

Rclone’s configuration file (conf.txt) in C:Dwelling windowsAppCompat indicated the attacker aged the keep.io carrier to exfiltrate recordsdata, suggesting the attacker leveraged a pre-configured cloud storage tale for recordsdata theft, which highlights the importance of securing cloud storage credentials and monitoring for unauthorized procure admission to.

The exposure of these operational missteps underscores the importance of procure configuration and vigilant monitoring of tools and companies and products aged in cyber operations.

The infiltration into the Medusa workers’s storage furthermore supplied important intelligence on the workers’s operations, programs, and targets, which has broader implications for cybersecurity, particularly concerning the importance of procure cloud storage practices and the dangers of leaving sensitive recordsdata in without considerations accessible areas.

keep.io API documentation

The enchancment of a Sigma rule, a vogue of detection rule for Security Records and Event Management (SIEM) programs, to title the same incidents fascinating the employ of keep.io for recordsdata exfiltration.

To terminate the same OPSEC failures from being exploited in the waste, this rule attempts to enhance cybersecurity teams’ detection and response capabilities.

The OPSEC failure of the Medusa Ransomware Personnel emphasizes how well-known it’s to own solid security procedures, particularly when managing stolen recordsdata and utilizing cloud companies and products.

Black Atlas Squad capitalized on a security misconfiguration (OPSEC weakness) in the Medusa Ransomware Personnel’s attack, allowing them to infiltrate their cloud storage for a little time and look the tips they’d been exfiltrating from their victims.

The investigation published that Medusa utilized Rclone, a fashioned recordsdata exfiltration utility repeatedly employed by ransomware groups, to steal recordsdata from compromised programs.

While Rclone boasts toughen for over 70 cloud storage suppliers, the Medusa Ransomware Personnel opted for the less-usual keep.io carrier to stash their sick-gotten gains.