The Sophos Rapid Response Team reported two attacks by the Nefilim ransomware in which accounts of retired employees were used for attacks.
Sophos is releasing new insights into attacks investigated by its Rapid Response Team. The article “Nefilim Ransomware Attack Uses 'Ghost' Credentials” describes how unsupervised ghost accounts enabled two cyberattacks, one of which affected the Nefilim ransomware.
Four weeks in the system without being noticed
Nefilim, also known as Nemty Ransomware, combines data theft with encryption. The target attacked by Nefilim affected more than 100 systems. Sophos experts were able to trace the original attack against a high-level administrator account that the attackers compromised more than four weeks before the ransomware was released. During this time, the cybercriminals were able to move unnoticed through the network, steal credentials for a domain administrator account and exfiltrate hundreds of gigabytes of data before they released the ransomware and finally revealed their presence in the system.
The hacked administrator account that made all of this possible belonged to an employee who sadly passed away about three months earlier. The company had kept the account active as it was being used for a range of services.
“Ransomware is the final component in a longer attack. It is the attacker who ultimately reveals that they are already in control of a corporate network and have completed most of the attack,” said Peter Mackenzie, manager, Sophos Rapid Response Team. "If the ransomware had not actively disclosed its activities, how long do you think the attackers would have had domain admin access to the network without the company's knowledge?"
Beware of “forgotten” accounts and access rights
A danger here is not just keeping stale and unmonitored accounts active, but also giving employees more access rights than they need. "Companies erroneously assume that someone who holds a managerial position or is responsible for the network must use a domain admin account," said Mackenzie. His advice: “No account with privileges should be used by default for work that doesn't require that level of access. Users should use the required accounts only when necessary and only for that task.”
Also, alerts should be set to know when the domain admin account is in use or when a new admin account is created. A previous case involving the Rapid Response team confirms this point. Here, an attacker gained access to a company's network, created a new user, and added that account to the "Domain Admin" group in Active Directory . Since no alerts were raised, the new domain administrator account then deleted about 150 virtual servers and encrypted the server backups with Microsoft BitLocker.
This is how secure account management works
If an organization still needs an outdated account, they should set up a service account and refuse interactive logins to prevent unwanted activity, according to Sophos experts. If the account is no longer needed, it should be deactivated and regular audits of the Active Directory performed.
The Rapid Response Team recommends the following steps for secure account management:
- Grant only the access rights required for a specific task or role
- Deactivate accounts that are no longer required
- If accounts of departed employees need to remain active, a service account should be set up and interactive logins should be denied
- Periodic Active Directory Audits: Active Directory auditing policies can be set to monitor administrator account activity or to report when an unexpected account is added to the domain administrators group
- Use of a security solution, ideally with anti-ransomware technologies such as those contained in Sophos Intercept X.
“Keeping track of account information is a basic, vital cybersecurity hygiene. We see far too many incidents where accounts have been set up, often with significant access rights, which have then been forgotten, sometimes for years. Such 'ghost accounts' are a preferred target for attackers. "
Background info on Nefilim Ransomware
Nefilim ransomware was first reported in March 2020. Like other ransomware families, e.g. B. Dharma, Nefilim mainly targets vulnerable Remote Desktop Protocol (RPD) systems as well as exposed Citrix software. It is one of a growing number of ransomware families, alongside DoppelPaymer and others, that practice so-called “secondary blackmail”, with attacks that combine encryption with data theft and the risk of public exposure.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.