Brute force or password spraying are not always the case. REvil affiliates may obtain valid account from various sources, for example, information stealers. For instance, REvil RaaS owners even bought KPOT stealer source code, so they can use it to benefit their affiliates.
Affiliates may exploit various vulnerabilities in public-facing applications and are known to use web-shells to maintain initial access. According to the media reports
, the threat actors may have obtained access to Acer network using ProxyLogon vulnerability in the company's Microsoft Exchange server – it's very common for those who exploit it to upload a web-shell to maintain access.
Once the initial foothold is gained, the threat actors commonly continue with obtaining additional credentials and internal reconnaissance.
Two most common network scanning tools observed during Group-IB's incident response engagements were Advanced IP Scanner and SoftPerfect Network Scanner. In some cases, affiliates downloaded these tools directly from the official websites, using compromised host. Detection tips:
The threat actors hardly rename network-scanning tools, so it's easy to search for file names or, if such tools are renamed, focus on the product names and descriptions, which still allow you to detect them.