eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
#StopRansomware: Medusa Ransomware
Bottom Line: A joint advisory by CISA, the FBI, and MS-ISAC highlights the rise in Medusa Ransomware-as-a-Service activity targeting various industries along with critical infrastructure. The report provides details on Tactics, Techniques, and Procedures and Indicators of Compromise uncovered during recent investigations by the FBI.
On March 12th, CISA in coordination with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory on the Medusa Ransomware-as-a-Service (RaaS) group. The advisory highlights the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) uncovered during FBI investigations, as recent as February 2025.
Since 2021, Medusa RaaS has been a prominent tool in ransomware attacks. Initially, the same group oversaw both the development and operation of the Medusa ransomware. However, over time, the model shifted to an affiliate structure, distributing responsibilities, where the ransomware developers managed ransom negotiations. The Medusa actors use a double extortion strategy, exploiting the stolen data and the threat of publicly releasing it if the victim fails to pay the ransom.
Recent FBI investigations have revealed that Medusa RaaS has affected more than 300 victims, including organizations in critical sectors such as infrastructure, healthcare, education, legal, insurance, technology, and manufacturing. According to another blog post by Symantec, Medusa's activity surged by 42% in 2024 compared to the previous year, with the increase continuing into January and February.
Medusa developers rely on Initial Access Brokers (IAB) for initial access to potential victim networks. These IABs are commonly known to use techniques such as phishing and exploiting common software vulnerabilities to steal credentials. For network discovery, the threat actors use tools such Advanced IP Scanner and SoftPerfect Network. The PowerShell and Command Prompt were primarily used for network and filesystem enumeration while Windows Management Instrumentation (WMI) for querying system information. The attacks observed use of Living-off-the-Land-Techniques (LOLT) for network discovery and defense evasion. The threat actors used legitimate tunneling tools such as Ligolo and Cloudflared for Command-and-Control (C2) communication and detection evasion.
Medusa actors utilized remote management tools such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop in combination with the Remote Desktop Protocol (RDP) and PsExec for lateral movement and identifying target files. Rclone was used to exfiltrate data to the C2 server and Sysinternals PsExec, PDQ Deploy, or BigFix were utilized to deploy the encryptor. The encryptor disabled Windows Defender, services related to backups, security, databases, communication, file sharing and websites, then deleted shadow copies. The threat actors communicate with victims through a Tor browser-based live chat or via Tox, an end-to-end encrypted instant messaging platform, to facilitate ransom-related discussions. Medusa runs a data leak site that reveals victim details, countdowns to data release, ransom demands, and direct links to cryptocurrency wallets affiliated with the group.
Medusa RaaS is not the same as an older MedusaLocker ransomware and is believed to have no links associated with the latter.
eSentire Threat Intelligence Analysis:
The multi-layered extortion model has become common among various RaaS threat actors and ransomware groups, as it enables them to apply increased pressure on victims, driving them to pay the ransom. Medusa RaaS, along with groups like BianLian, have demonstrated the effectiveness of this model, posing a significant threat to organizations.
While ransom payments may appear to be a less harmful option for victims, as they help prevent the public disclosure of stolen data, it is strongly recommended not to pay the ransom. Instead, victims should focus on conducting a thorough investigation and ensuring that robust backup and recovery systems are in place to mitigate future risks as paying the ransom does not guarantee the data recovery and privacy. In some cases, threat actors may impersonate members of a ransomware group to extort ransom payments. A thorough investigation can help determine whether the incident was genuinely a ransomware attack or a different type of threat. An example of this is CISA’s public service announcement, which warned about a new scam where cybercriminals are sending ransom note letters via mail, falsely claiming to be from the BianLian ransomware group.
Critical infrastructure industries are the cornerstone of a nation's stability and security. Failing to protect these vital sectors can have far-reaching consequences, potentially disrupting essential services, such as water treatment facilities undermining economic stability, and jeopardizing national security. Ensuring their protection is not just a matter of safeguarding assets, but a crucial step in maintaining the nation's overall operational integrity.
Medusa RaaS attacks rely on exploiting vulnerabilities in commonly used software, utilized legitimate tools for network discovery, lateral movement and C2 communications to avoid detection, and leveraged LOLT which assisted in detection evasion. It is crucial to implement an efficient vulnerability management and patch management system to keep the software up to date. Organizations should allow the download and installation of only authorized software. The use of unnecessary remote management tools must be disabled in the network. Robust Endpoint Detection and Response (EDR) solution must be in place to ensure monitoring and detection of malicious activity in the environment. CISA also recommends network segmentation to protect critical assets by preventing lateral movement.
The eSentire MDR Suite is equipped with detections to identify activities linked to Medusa RaaS. The eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the flaws frequently exploited by Medusa RaaS, as outlined in CISA’s report.
Microsoft Patch Tuesday
Bottom Line: March 12th marked Microsoft’s monthly Patch Tuesday release. This month Microsoft addressed a total of 57 vulnerabilities, six of which are confirmed to be actively exploited prior to patch release. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
In the March Microsoft Patch Tuesday release, the company disclosed a total of 57 vulnerabilities, a slight increase compared to the February release. Out of the 57 vulnerabilities, six are rated Critical, 50 are rated Important. Twenty-three of the addressed vulnerabilities are related to remote code execution and privilege escalation. The six confirmed exploited vulnerabilities are as follows:
- CVE-2025-24983 (CVSS: 7.0) - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
- An attacker with prior access to a vulnerable machine, that successfully wins a race condition, may elevate their privileges to system
- According to ESET, the vulnerability was first exploited in March 2023, and has been used to deploy the PipeMagic backdoor
- CVE-2025-24984 (CVSS: 4.6) - Windows NTFS Information Disclosure Vulnerability
- To exploit this vulnerability, a threat actor would need to physically insert a malicious USB drive into a vulnerable device, allowing for information theft
- CVE-2025-24985 (CVSS: 7.8) - Windows Fast FAT File System Driver Remote Code Execution Vulnerability
- A threat actor that tricks a local user into mounting a specially crafted Virtual Hard Drive (VHD), may achieve Remote Code Execution (RCE)
- CVE-2025-24991 (CVSS: 5.5) - Windows NTFS Information Disclosure Vulnerability
- A threat actor that tricks a local user into mounting a specially crafted VHD, may read a portion of heap memory
- CVE-2025-24993 (CVSS: 7.8) - Windows NTFS Code Execution Vulnerability
- A threat actor that tricks a local user into mounting a specially crafted VHD, may achieve Remote Code Execution (RCE)
- CVE-2025-26633 (CVSS: 7.0) - Microsoft Management Console Security Feature Bypass Vulnerability
- To exploit the vulnerability, a threat actor would need to trick a user into opening a malicious document
eSentire Threat Intelligence Analysis:
Organizations are strongly recommended to review the full Patch Tuesday release and apply all relevant security patches. Vulnerabilities that are confirmed to be exploited and vulnerabilities in Internet-facing applications should be prioritised due to the risks posed. In cases where vulnerabilities are being exploited prior to patch release, Endpoint Detection and Response (EDR) capabilities can act as a stop-gap solution, by identifying known techniques and tools employed post compromise.
Details about the real-world exploitation of these vulnerabilities have not been publicly released, except for CVE-2025-24983. PipeMagic is an advanced backdoor that was first discovered by Kaspersky in 2022. In October 2024, it was identified as impacting organizations in Saudi Arabia. Currently, the malware has not been attributed to a specific threat actor. However, the use of a zero-day vulnerability for distribution and its limited targeting suggest that it may be the work of a sophisticated and potentially state-sponsored threat actor.
USB-based attacks are an effective initial infection vector due to their ability to bypass network-based defenses and exploit human behavior. These attacks often rely on malicious files disguised as legitimate content on USB drives. To defend against CVE-2025-24984, organizations should educate users about the risks of connecting unknown USB devices to corporate computers and enable Application Control to block the execution of malicious files.
As a user is required to interact with a malicious document file to exploit CVE-2025-26633, organizations should implement Phishing and Security Awareness Training (PSAT), to help employees identify suspicious or malicious files.
The eSentire Threat Intelligence team is actively tracking the vulnerabilities from this release for additional details and detection opportunities. Outside of zero-days, it is recommended to prioritize the patching of vulnerabilities in Internet-facing applications. These flaws are high value to threat actors, as they may enable initial access into victim companies. Vulnerability management services can aid in the identification and remediation of high-priority vulnerabilities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the recently disclosed zero-day vulnerabilities.
China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
Bottom Line: Mandiant has identified a Chinese APT group exploiting vulnerable End-of-Life edge devices to gain stealthy persistence in Asia and U.S.-based organizations for espionage related purposes.
On March 12th, researchers from Mandiant released a long-form report on activity they have attributed to a Chinese state-sponsored APT group. In mid-2024, Mandiant identified multiple custom backdoors deployed across compromised Juniper Junos OS routers. All of the impacted routers had reached End-of-Life (EoL) status and are no longer supported by Juniper.
The activity is attributed to the suspected Chinese APT group UNC3886. The group has been observed targeting a variety of sensitive industries in Asia and the U.S., including defense, technology, and telecommunication. UNC3886 is considered to be highly sophisticated; they have a history of exploiting zero-day vulnerabilities and creating custom malware.
In the recent campaign, legitimate credentials were leveraged to access a terminal server that was used to manage network devices. It is unclear how the threat actors originally compromised these credentials. With this access they deployed custom versions on the TINYSHELL backdoor on Junos OS routers. To avoid detection, the malicious code was inserted into legitimate processes. The deployed malware included both active and passive backdoor functions, enabling stealthy persistence in victim environments. The backdoors were capable of performing various actions including file upload and download and establishing a remote shell. The goal of this activity is believed to be gaining access to and establishing long term persistence in victim organizations. This access can be used at a later date for espionage related activity.
eSentire Threat Intelligence Analysis:
The activity reported on by Mandiant is notable due to the lengths that UNC3886 went to avoid detection. By targeting edge devices, like Juniper routers, UNC3886 is attempting to operate in areas that lack security controls such as network monitoring and Endpoint Detection and Response (EDR) agents. Additionally, by only compromising EoL routers, they avoid the risk of updates leading to identification or removal of their persistence mechanisms.
Similar tactics were employed by UNC3886 in previous campaigns in 2022 and 2023. The group is expected to continue with the tactic of targeting unmonitored edge devices like routers. It should be noted that these tactics are not unique to UNC3886. Other Chinese state-sponsored threat actors have carried out similar attacks, such as APT41, APT31, and Volt Typhoon, which were all identified targeting Sophos firewalls.
To prevent similar activity, it is critical that organizations replace all EoL routers with modern maintained alternatives and ensure network access points are secured with Multi-Factor Authentication (MFA). As these groups have a history of exploiting vulnerabilities, it is important to ensure that a vulnerability management program is in place to identify and prioritize the remediation of known vulnerabilities. The most recent version of Junos OS includes the Juniper Malware Removal Tool (JMRT), which organizations can employ to scan for malware. Based on Mandiant’s research, malware signatures have been updated to identify malware associated with UNC3886. Additionally, organizations are encouraged to review network devices and ensure that security monitoring is in place, as well as properly segmenting networks to limit the potential for lateral movement.
In recent cases, Mandiant has not observed any data exfiltration activity in attacks, leading to the conclusion that the goal of this activity is to maintain stealthy and persistent access over a long period of time. This access may be employed at a later date for a variety of purposes including information theft. In past Chinese APT activity targeting the U.S., Volt Typhoon was identified establishing long term persistence in critical infrastructure organizations, with the suspected goal of performing “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States”.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
