Update, March 31, 2025: This story, originally published March 29, has been updated with further Medusa mitigation advice from the FBI as well as additional comment from Boris Cipot, and a report into another “as a service” threat, this time from the Morphing Meerkat threat which uses DNS over HTTPS to escape detection.
There have been plenty of headlines generated by the recent Medusa ransomware attacks that have run riot, provoking the Federal Bureau of Investigation into issuing a critical security advisory, and adding to the massive surge in ransomware during the first quarter of 2025. One that I didn’t see coming, let alone think I would be writing myself, was a warning about time-traveling hackers on the back of the FBI warning. But here we are.
How Time Travel And The FBI Are Mixed Up In Medusa Attacks
Let’s start with a quick recap of the Medusa ransomware attacks at the heart of this story. Medusa, which is known to have impacted at least 300 critical infrastructure targets, uses social engineering and unpatched software vulnerabilities as part of the exploit campaign. As we are about to discover, that’s not all it uses. For the FBI outline of tactics, techniques and procedures, indicators of compromise, and detection methods associated with the Medusa attacks, refer to FBI cybersecurity advisory AA25-071A.
Quite a lot of technical information regarding the Medusa malware has come to light since that FBI alert was raised, however, including methods used to disable anti-malware protections as I reported March 22. Now, that technical detail has taken an unexpected twist: time travel.
Boris Cipot, a senior security engineer at Black Duck, told me how Medusa attackers are creatively abusing system misconfigurations in their efforts to bypass security controls. “In this case,” Cipot said, “the issue lies with the date or the possibility to change it.” This time travel hacking technique is as simple as it is ingenious. The attackers in question have, Cipot explained, a security certificate that is used to sign a driver, but that certificate was valid back in 2012, not now. Expired drivers from 13 years ago are of little use to anyone trying to infiltrate a system today unless that is, you can act like Cher and turn back time. “The malware is effectively changing the system date to a time when the certificate,” Cipot continued, “which signed a certain driver, was still valid.” Because the system date has been changed and has effectively gone back in time, that expired driver is now seen as being perfectly valid, accepted as such and loaded like any other.
Mitigating The Time Travel Hackers According To Boris
To mitigate this kind of time travel hackery, Cipot said, “organizations need a combination of best-in-class endpoint protection, strict policy enforcement, and proactive monitoring.” The detection of system configuration changes is also essential, as it’s the system time changes that proved central to the failure of security protections in the case of the Medusa attacks. “Additionally,” Cipot said, “Windows should be configured to enforce strict revocation checks for signed drivers, blocking the expired certificates.”
Cipot also warned that many Microsoft out-of-the-box security features are not enabled because they have been switched off. Something that is most commonly done for convenience or to allow older software and drivers to run without concern. The problem is that attackers are far from stupid and already know this. “If the software is blocked because it is old, and the certificates with which it has been signed have expired,” Cipot said, “then this software cannot run on a production system.” Cipot told me that he highly recommends users do not switch the security features off, and furthermore don’t avoid patching just to keep old vulnerable software running. “In the end,” Cipot concluded, “the risk potential simply is not worth it.”
Morphing Meerkat Not Yet On The FBI Radar, But A Threat To Watch
The whole rental of cybercrime technology to any attacker with the money and motivation extends way beyond just the ransomware threat seen exploited by the likes of Medusa. How about phishing-a-a-service, for example? It has been revealed that one new player on the block, known as Morphing Meerkat, is using clever methods to evade being detected. Here’s what you need to know.
Bleeping Computer has reported that the newly uncovered platform leverages both DNS over HTTPS for detection evasion and DNS email exchange records to “identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands.” Those brands include the likes of Gmail, Outlook and Yahoo, to name but a few and illustrate the level of danger this phishing-as-a-service operation poses. Obviously, as with Medusa, any kind of threat technology that is rented out to anyone with the cash but without any requirement for genius technology skills is worrisome, to say the least. Morphing Meerkat certainly falls into this category. It provides, Bleeping Computer warned, “a complete toolkit for launching effective, scalable, and evasive phishing attacks.”
For me, it’s the evasive part of the attack equation that is of most concern, not least down to the type of sophisticated methods being employed. By using, or rather abusing, the DNS over HTTPS protocol, the attackers can do a pretty good job of hiding their true intent.
DoH encrypts DNS queries using the HTTPS protocol, which secures communication over the web. By embedding DNS queries within the overall encrypted data traffic between a client and a server, DoH DNS provides a significant privacy advantage. It prevents third parties from seeing what websites you are trying to access. Let’s hand over to Dirk Schrader, a vice-president of security research at Netwrix, for the explanation. The DoH protocol encrypts DNS queries using the HTTPS protocol which, as most everyone knows by now, secures communications over the web. “By embedding DNS queries within the overall encrypted data traffic between a client and a server,” Schrader said, “it prevents third parties from seeing what websites you are trying to access.” The irony being, of course, that from the security perspective it’s meant to help “protect against certain cyber-attacks, such as DNS spoofing or eavesdropping.” To mitigate such attacks, you need to look to your DNS controls to prevent users from communicating with the DoH servers.
Mitigating The Time Travel Hackers According To The FBI
Meanwhile, back to the Medusa ransomware threat, the FBI has stated that two-factor authentication for all services should be enabled where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
The FBI has also advised users to employ long passwords on all accounts that require them and recommended that administrators refrain from imposing a requirement for frequent password changes, as these can do more harm than good. The FBI said all operating systems must be kept up to date alongside software and firmware updates. Patching should be prioritized when it comes to those internet-facing systems where a known vulnerability is concerned.
Further Medusa mitigation advice from the FBI included:
- The identification, detection, and investigation of any abnormal activity that could indicate a potential network traversal of the ransomware.
- The monitoring of systems for unauthorized scanning and access attempts.
- Filtering of network traffic to prevent unknown or untrusted actors from accessing remote services on internal systems.
- The auditing of all user accounts that have administrative privileges
configuring all access controls according to the principle of least privilege. - And, finally, the disabling of command-line and scripting activities and permissions along with all unused ports.
My advice? Listen to both the FBI and Boris, as they know what they are talking about. Ooh, and don’t wait for Medusa to strike, act today, or your systems could get attacked by hackers from 2012.
