Effective division of labor or breeding of cybercrime trainees? After a rather bumbling network infiltration, the professionals finally take over with Lockbit Ransomware. An interesting cyber case has caught the attention of the Sophos researchers.
Sophos has uncovered a particular cyber attack: Cyber criminals broke into a regional government server in the United States and stayed there for five months. During this time, they used the server to search online for a mix of hacking and IT administration tools that could help them deploy an attack. The attackers also installed a cryptominer before exfiltrating data and deploying Lockbit ransomware.
Attack lasted more than 5 months
In "Attackers Linger on Government Agency Computers Before Deploying Lockbit Ransomware" this attack is described again with all the technical details. The Sophos Incident Response Team, which contained and investigated the attack, believes that multiple attacks infiltrated the vulnerable server.
Andrew Brandt, Principal Security Researcher at Sophos, provides insight into the attack
“It was quite a chaotic attack. Working closely with the victim, Sophos' forensic teams were able to get a picture of the attack. At first it seems to be inexperienced cyber criminals who broke into the server, snooped around the web and used a compromised server to research pirated and free versions of hacking and legitimate admin tools. All of this served to prepare for the actual attack. Afterwards, they seemed uncertain about their next steps. About four months after the initial server incursion, the nature of the attack activity changed, in some cases drastically. At this point, you could expect cybercriminals with very different abilities to join the fight and uninstall the security software. They may have stolen data and encrypted files on various devices using Lockbit ransomware.”
Beginners submit, professionals take over
Sophos found that the initial entry point for the attack was an open Remote Desktop Protocol (RDP) port on a firewall that was configured for public access to a server. The criminals broke into the server back in September 2021 and used the existing browser to search for legal and illegal tools online. In some cases, this search led the intruders to dubious download sites that delivered adware to the hacked server instead of the tools they were looking for.
The investigations showed a significant change in the behavior of the attackers from mid-January 2022: more skilful and more targeted activities could now be identified. The actors tried to remove the malicious Cryptominer and uninstalled security software. In doing so, they exploited a vulnerability that the victim accidentally left open after maintenance work with a deactivated protection function. They then collected and exfiltrated data and installed Lockbit ransomware. However, the great success did not materialize, the data encryption failed on some devices.
Block network access as much as possible
“If IT teams don't have external connection or remote access tools installed for a specific reason, then those tools shouldn't be present on any device on the corporate network. If such tools are still active, this indicates an ongoing or impending attack. Unexpected or unusual network activities, such as a network scan, are also strong indicators that strangers have invaded the network. Repeated RDP login errors on devices that are only accessible within the network also suggest a brute force tool that cyber gangsters are using to sneak into the corporate network,” says Brandt. “A robust, profound and active 24/7 defense can help to ensure that such attacks do not even take place or unfold in the corporate network. The most important first step is to keep the attacks away from the network, for example by using multi-factor authentication and a firewall configuration that blocks remote access to RDP ports without a VPN connection.”
Zero trust strategy would help
Companies can achieve a particularly high level of protection with the Zero Trust strategy. The very high level of security is based on the fact that no device or user is ever trusted. Put simply, the Zero Trust principle means: trust nothing and nobody (especially not a network) and check everything. As a result, there is no automatic trust or distrust inside or outside the perimeter. It is always verified who wants to access and it is checked whether the accessing device is in order. In addition, users are only granted access to the resources and applications that are required for their tasks.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.