Initial access to the network, not to be confused with the high-level access granted by using the deceased credentials, was gained by exploiting vulnerable versions of Citrix or Remote Desktop Protocol. Or more accurately, the attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.” “The team determined the attacker had compromised an admin account with high level access about one month before launching Nefilim ransomware. Once researchers began analyzing the attack, they soon discovered that an account previously belonging to a deceased employee was used to compromise the company network. The ransomware has also been spread by the Phorpiex botnet in the past.Īccording to Sophos, a company reached out to the security firm in response to suffering a ransomware attack that managed to successfully target more than 100 systems. Nefilim is perhaps best known for their successful attack on appliance manufacturing giant Whirlpool towards the very end of 2020. In a new report by security firm Sophos, the gang behind the Nefilim ransomware, also called Nemty, are using stolen credentials belonging to deceased individuals to compromise networks.
0 kommentar(er)
