🛡️ Defensive Actions:
👉 Deploy a SIEM and detect on it– Catch brute force attempts before successful access.
👉 Enable MFA on VPN – Stop compromised credentials from granting access.

Key Takeaways:
👉 SIEM Would Have Stopped This Early – brute force detections are only in the SIEM, not the EDR.
👉 EDR Detected the threat actor on their Windows-based attack phase – The 18 -minute gap gave attackers time to act.

🕐 01:03:29 UTC – EDR detects Credential theft
➡️ reg save hklm\system system
➡️ C:\Users\<redacted>\AppData\Local\Temp\lazagne.exe all

🕐 01:11:10 UTC – Huntress neutralises the intrusion

Timeline of the Attack:
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network

These behaviours echo Makop ransomware, and they're often paired with attempts to gain long-term footholds via remote access tools.

We have observed these tactics in previous incidents and were able to catch and neutralize the threat to this IT org before it could wreak havoc.

🔥 RDP Enabled for Further Access: Modified the firewall to reopen RDP using CLI commands.

If you see renamed remote access binaries or odd PsExec usage, you may be facing more than a nuisance script kiddie.

🔑 Followed up with brute-force credential attacks tied to known Makop tooling.
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).

💡 Key lessons for IT pros:
🎯 Always place exposed RDP behind a VPN and enable MFA
🎯 Enforce strong passwords across all user accounts
🎯 Disable unused accounts that haven’t been touched for 30+ days

At this point, Defender triggered alerts for ransomware deployment and Managed EDR powered by our expert SOC, swiftly isolated the network to stop lateral movement and prevent further encryption.

The bad guys authenticated using a suspicious IP and workstation name. But as you check out below, they began to stage files in the “Music” directory on the host.

Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.

When notorious infostealer “Celestial Stealer” spots specific names, it shuts down, and one of those belongs to one of our own - @jaiminton.com.

Wanna use Celestial Stealer to hack a business protected by Huntress? You're a daisy if you do.

How can you avoid incidents like these? 🔽

➡️ Enable MFA on all VPN logins (no exceptions).
➡️ Use IP restrictions to block unused locations.
➡️ Monitor and centralize VPN telemetry.
➡️ Commit to strong password policies.

With SIEM and EDR in place, our SOC acted fast.

By combining Active Directory and VPN telemetry, we tracked the compromised account and launched network-wide isolation, shutting down lateral movement and blocking potential ransomware.

✅ The attacker used a compromised VPN account (no MFA) to log in with a malicious device.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.

➕Threat actors continue to target this flaw with 24 different orgs now compromised
➕We observed several organizations targeted on April 21 in attacks that used several overlapping ping commands

We’ll continue giving updates on this exploit as we gather more details: www.huntress.com/blog/cve-202...

But our SOC swooped in and booted them out before more damage was done.

Don’t slack on security hygiene:
➡️ Enable MFA for all externally facing services
➡️ Require strong passwords and enforce time-of-day restrictions—all it takes is one compromised account to gain access