InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
In the first part of this blog post, Stephan Berger, Senior Cyber Security Analyst at InfoGuard CSIRT, used two cases to show the continuing latent threat of ransomware. In the second part, you will read about four more exciting insights from his work, which he presented at the Swiss Cyber Storm.
As already explained in the last article, observations, experiences and learning from past incidents are enormously important in our InfoGuard Incident Response Team’s work. Takeaways from phishing and MalDocs attacks, vulnerability exploitation (ProxyLogon), attacks via exposed RDP ports and remote desktop solutions have already been analysed in detail. What happens once attackers have gained access to internal networks, and what can we learn from this?
After the initial compromising and the creation of backdoors, attackers usually start spying on the network. This locates open shares and other computers to which they can connect. Traditionally, network scanners are used for this task (Fig. 7).
Fig. 7: Network scanner
Interestingly, our InfoGuard team has handled several cases where an observant system administrator has noticed that the CPU load for a critical server is higher than usual. Hence, when checking the running processes, the network scanner, which was started by attackers via a hacked account, stood out.
Before the network is encrypted, it is not uncommon for attackers to steal data in order to doubly blackmail the company. To begin with, the network is encrypted and the attackers are the only ones with the key to decrypt it. Then, the attackers are in possession of the company's potentially sensitive data, and often threaten to publish it on the internet.
Fig. 8: Two well-known upload platforms (MEGA & Yandex)
We have seen data exfiltration to one of the two platforms MEGA and YANDEX in many of the cases we have investigated. To do this, the attackers made use of manufacturers' genuine software packages that enable data to be easily uploaded onto the corresponding platform. Of course, to upload, you need an account in the form of a username and password. In several cases, our incident response team was able to recover valid credentials from the system where data had been uploaded to platforms like these. As can be seen in Figure 9, we were able to log into the attackers' account and therefore understand in detail what data was stolen.
Fig. 9: Attacker Account with Stolen Data
For one thing, this knowledge is very valuable in negotiations with the attackers. For example, the stolen data might not have been that sensitive, which means that publishing it would not be "extremely" critical for the company. On the other hand, working together with the police, this account can be blocked to take away the attackers' control over the data.
In the majority of our investigations, we found that the anti-virus agent deployed in the compromised network had detected and/or prevented one or more steps taken by the attackers. However, the anti-virus logs were either not analysed at all or it was done too late. Anti-virus solution findings can be used effectively as an early warning system and may be able to detect a compromise at an earlier stage.
Fig. 10: Antivirus analysis Cheat Sheet (Source: Nextron Systems)
During an incident - or preferably before - it is advisable to carry out an in-depth analysis of the Active Directory environment. For example, InfoGuard can provide an in-depth examination of environments like these. One freely available software for an analysis of the critical points is “Ping Castle”.
Saved passwords in group policies are one of the critical issues that our incident response team regularly comes across (Fig. 11).
.
Fig. 11: Saved passwords in group policies
In this case, the user "support" pictured here was one of several administrators in the corresponding domain. In a short time, an attacker could gain the highest privileges in the network from an unprivileged user. Such simple "privilege escalations" must be avoided at all costs in order for the bar to be set as high as possible for an attacker.
As you can see, the threat of ransomware is anything but a thing of the past. Attackers are organising themselves in a professional way and are constantly refining their attack techniques. It is a major challenge for companies to keep up with this dynamic, and these days it is almost impossible for them to manage it alone. That’s exactly why we developed our Incident Response (IR) Retainer.
You can count on the rapid expert support of our experienced CSIRT in the event of a security incident. This includes not only tracking down the attackers and isolating them as quickly as possible, but also analysing the damage from our Cyber Defence Center, helping to restore normal operations and taking care of the obligation to report a security incident under GDPR requirements.
Interested? All the information and the contact form can be found here: