Do you remember the first part of the “cyber-crime Advent story”? In it we told about the spear-phishing attack perpetrated on a customer. In the second part, you will discover how the hacker group subsequently succeeded in encrypting all the data and systems, and in doing so paralysed production operations.
When the InfoGuard CSIRT (Computer Security Incident Response Team) arrived at the customer's premises in the middle of the night, it was already clear that, not only was confidential data being stolen and encrypted, but so was the entire network. What followed looked like "game over", because the company's staff also began their working day by a big surprise. Neither the office workstations nor the manufacturing facilities were available. The company had obviously fallen victim to a ransomware attack.
Experienced experts were needed to analyse and restore the entire operation. As a first step our CSIRT contacted the attackers in order to establish what the blackmailers’ demands were and to authenticate the perpetrators' identity. They were demanding around one million Swiss francs, to be paid in Bitcoins of course, otherwise the blackmailers threatened to publish the data. This demand had to be taken seriously, as an excerpt of the stolen data was even briefly published on the Darknet.
But how does stealing data and encrypting systems actually work? The initial phishing attack enabled the hacker group to create a backdoor that gave them permanent access to the corporate network. As if it weren't bad enough that the company itself had been infiltrated, further damage was revealed when the cyber-attack was discovered. One of the customers of the affected company also fell victim to Nephilim − and it seemed like this customer was more severely affected. It was still not definite that the attacker was using our customer as a springboard. However, since the attacker managed to enter the network via a poorly secured Internet facing terminal server, this assumption was quite likely to be right. The systems on the server had not been secured by multi-factor authentication, and this was obviously very convenient for the attacker.
In 2019, Ryuk, Trickbot and Emotet were on everyone’s lips, whereas this year it is Conti and Nephilim (although the first group are still there causing mischief.) In this case, Nephilim was the ransomware that was responsible for this strike.
After the backdoor had been installed, further malware in the form of "Trickbot" was uploaded. Trick-bot's primary purpose is to steal login data for privileged domain admin accounts. This gave the at-tackers a virtual skeleton key for the targeted asset and allowed them to communicate with their Command & Control (C2) server at any time. Neither the company nor the affected administrator had any chance of detecting the password theft with the technical means at their disposal.
Now the attackers wanted to gather more information about the targeted network. This phase often runs completely in parallel with the collection phase. The attacker identifies and prepares data for the actual attack, for example a planned exfiltration, as demonstrated here. The attackers used well-known tools like "PsExec" and "wmi" to move laterally through the network and to build up "bridge-heads" in a targeted way. In the end, these are used to continue the attack from there.
Our CSIRT was able to use firewall logs to reconstruct the first contact with the C2 server. This occurred just a few minutes before the actual attack. The "Cobalt Strike" attack framework was used for the C2 connections. The theft of sensitive company data and the network encryption happened very quickly. Just 15 minutes after the C2 server was first contacted, the first data was stolen. More files followed in the subsequent days. However, in order to ensure that the process remained largely undetected, the data volumes involved were relatively small.
The second part of the attack involved the encryption of systems throughout the entire corporate network. The attackers primarily targeted server systems. Starting from several domain controllers, the attackers executed a large number of .bat scripts, which triggered the transfer of the malware, the deactivation of security solutions and the real encryption process on other servers. You already know the outcome – what looked like "game over".
You are bound to agree with us that this scenario constitutes the worst-case scenario, and fingers crossed it will never happen to you! All the same, it makes sense to be prepared for this worst-case scenario, because in a hectic situation like this, it is crucial to have a reliable, experienced partner. For one thing, there is usually a lack of internal expertise and the resources needed to manage the situation in the right way, and for another, there are enough other jobs that need to be dealing with. On top of the technical hurdles, you also need to deal with customers, business partners and, last but not least, employees and, possibly even the public.
The way you react to an incident is as important as the efforts you make to avoid it. We recommend that you train for this with a Table-Top-Exercise (TTX). This will help you to be better prepared and increase your reaction and recovery skills, should you ever fall victim to a hacker attack. Our cyber security and cyber defence experts are your perfect sparring partners! Our many years of experience with cyber incidents and TTX, as well as our comprehensive, cross-functional expertise, have enabled us to help a great many companies to prepare for a potential cyber-attack.
In the final and concluding part of our Advent story next Monday, you will find out whether or not the company survived the cyber-attack and was consequently able to recover its data and systems.