The threat landscape is dominated by e-crime actors who no longer rely solely on exploits but prioritize Identity as the new perimeter. CrowdStrike's recent analysis highlights two significant adversaries: CORDIAL SPIDER (the operators behind Medusa ransomware) and SNARKY SPIDER (the operators behind ALPHV/BlackCat). Both groups have aggressively pivoted to Adversary-in-the-Middle (AiTM) phishing and credential theft to bypass traditional MFA controls.
For defenders, this shift is critical. The perimeter has effectively collapsed. We are no longer just blocking IP addresses; we are validating user sessions and detecting lateral movement that looks suspiciously like legitimate admin activity. This breakdown focuses on the TTPs of these specific spiders and provides actionable detection logic and hardening steps to stop them.
Technical Analysis
Affected Products & Platforms:
- Identity Providers (IdP): Microsoft Entra ID (Azure AD), Okta (frequent targets for session hijacking).
- Endpoints: Windows 10/11, Server 2019/2022 (targets for credential dumping and ransomware execution).
- Security Tools: CrowdStrike Falcon (specifically Falcon Identity Shield and Falcon Complete).
Threat Actor Overview:
- CORDIAL SPIDER (Medusa): Known for aggressive double-extortion tactics. They typically gain initial access via phishing campaigns that harvest session tokens, allowing them to bypass MFA. Once inside, they move laterally using valid credentials and deploy the Medusa ransomware payload.
- SNARKY SPIDER (ALPHV/BlackCat): A sophisticated Rust-based ransomware operation. They are highly adept at living off the land (LotL) and often use tools like
ImpacketandCobalt Strikefor lateral movement and credential dumping.
Attack Chain (Defender's Perspective):
- Initial Access: AiTM phishing pages capture credentials and session tokens (e.g., Azure AD session cookies).
- Persistence: The actors add new devices to the trusted platform or configure Conditional Access policies to maintain access.
- Privilege Escalation: They dump LSASS memory or query Active Directory for sensitive groups using
ADFindto find domain admin credentials. - Defense Evasion: Use of living-off-the-land binaries (LOLBins) like
powershell.exeencoded commands to disable security logging. - Execution: Ransomware deployment and deletion of shadow copies (
vssadmin delete shadows).
Exploitation Status:
- Status: Confirmed active exploitation.
- CVE: No specific zero-day CVE is the primary vector; the abuse relies on identity manipulation (session hijacking) and valid credentials. However, these actors are known to exploit unpatched VPN appliances if identity attacks fail.
Detection & Response
The following detection logic focuses on the key TTPs of Cordial and Snarky Spiders: credential dumping via Rubeus or LSASS manipulation, and the classic ransomware precursor of deleting Volume Shadow Copies.
Sigma Rules
---
title: Potential LSASS Memory Dump via Rasky or Dumpert
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential access to LSASS memory consistent with credential dumping tools used by Snarky Spider actors.
references:
- https://attack.mitre.org/techniques/T1003/001/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\comsvcs.dll'
CommandLine|contains:
- 'MiniDump'
- '#24'
condition: selection
falsepositives:
- Legitimate debugging by administrators (rare)
level: high
---
title: Ransomware Prep - Shadow Copy Deletion
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects commands used to delete Volume Shadow Copies, a common step by Cordial Spider (Medusa) before encryption.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wbadmin.exe'
CommandLine|contains:
- 'delete shadows'
- 'delete backup'
condition: selection
falsepositives:
- System administration tasks (rare in production)
level: critical
KQL (Microsoft Sentinel)
This query hunts for potential AiTM activity or token manipulation by looking for impossible travel scenarios combined with sensitive resource access.
let RiskScoreThreshold = 50;
IdentityLogonEvents
| where ActionType == "LogonSuccess"
| project Timestamp, AccountUpn, AccountObjectId, DeviceDetail, Location, RiskDetails
| evaluate basket(0.5, Timestamp, 1h, AccountUpn, tostring(Location))
| where basket_count > 1
| join kind=inner (
IdentityQueryEvents
| where ActionType contains "Directory" or ActionType contains "Group"
) on AccountUpn
| project Timestamp, AccountUpn, Location, ActionType, Query
| order by Timestamp desc
Velociraptor VQL
Hunt for traces of the Medusa or ALPHV ransomware executables and common tools used by these actors for lateral movement (AnyDesk, Cobalt Strike beacons).
-- Hunt for suspicious processes and common remote admin tools
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('AnyDesk.exe', 'rundll32.exe', 'powershell.exe')
OR CommandLine =~ 'MiniDump'
OR Exe =~ '\\Temp\\'
AND Name =~ '.exe'
-- Supplement with file glob for known ransomware note patterns
SELECT FullPath, Size, Mtime
FROM glob(globs='/*/README.txt')
WHERE FullPath =~ '(Medusa|recovery)'
Remediation Script (PowerShell)
This script performs a triage check to identify potential indicators of compromise (IOCs) associated with these actors, such as new suspicious users or disabled security services.
# Write-Host "Starting Triad TTP Triage..."
# 1. Check for recently created users in privileged groups (last 24 hours)
$Date = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720; StartTime=$Date} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message | Format-List
# 2. Verify WinDefend/Sense service status
$Services = @('WinDefend', 'Sense', 'WdNisSvc')
foreach ($Svc in $Services) {
$Status = Get-Service -Name $Svc -ErrorAction SilentlyContinue
if ($Status) {
if ($Status.Status -ne 'Running') {
Write-Host "ALERT: Service $Svc is not running. Current state: $($Status.Status)"
}
} else {
Write-Host "WARNING: Service $Svc not found."
}
}
# 3. Check for Shadow Copy existence on C:
Write-Host "Checking for Shadow Copies..."
vssadmin list shadows
Remediation
To defend against Cordial Spider, Snarky Spider, and similar identity-focused adversaries, organizations must move beyond simple MFA to phishing-resistant authentication and rigorous session monitoring.
-
Implement Phishing-Resistant MFA:
- Enforce FIDO2/WebAuthn security keys for high-privileged accounts (Domain Admins, Global Admins). These keys cannot be phished via AiTM attacks.
- Disable legacy authentication protocols in your IdP (Microsoft Entra ID or Okta).
-
Configure Conditional Access Policies:
- Session Risk: Trigger Step-up authentication or block access when sign-in risk is Medium or High.
- Device Compliance: Require managed and compliant devices for access to sensitive data.
- Impossible Travel: Enable alerts for impossible travel conditions to detect session hijacking.
-
Identity Hygiene:
- Revoke all active refresh tokens for users suspected of being compromised. This effectively signs them out everywhere, forcing re-authentication against MFA controls.
- Review and reduce the number of Global Administrators to the absolute minimum (ideally 2-4).
-
Patch and Harden:
- Ensure all VPN gateways and remote access infrastructure are patched against known vulnerabilities (e.g., Citrix Bleed, Zerologon).
- Disable unused ports (RDP, SMB) from the internet.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.