Lockbit ransomware operators spent nearly six months on a government agency’s network, deleting logs and using Chrome to download hacking tools, before finally deploying extortion software, threat researchers say. Sophos.
About a month before the unnamed US regional government agency began investigating the intrusion, the cybercriminals deleted most of the log data to cover their tracks.
But they didn’t delete all log or their browser’s search history, which means they left a few crumbs behind.
“Sophos was able to piece together the attack narrative from these unhindered logs, which provide intimate insight into the actions of a not particularly sophisticated, but still successful attacker,” Andrew Brandt and Angela Gunn of The Workshop security. wrote this week in an analysis of the attack.
Other organizations can hopefully learn something from this intrusion to avoid a similar fate. For two things, using multi-factor authentication on accounts and limiting remote desktop access to, say, authenticated VPN connections, may have helped.
According to Sophos, the attackers broke in via a Remote Desktop Protocol (RDP) service: the firewall was configured to provide public access to an RDP server. As the Sophos researchers noted, the entry point is “nothing spectacular.” It’s not said exactly how the bad guys got in – by brute-forcing a weak password, using a stolen ID, tapping on a rogue insider, or exploiting a security bug, for example – but we’re told the intruders managed to hijack a local administrator account on the server that also had Windows domain administrator privileges, which would make it easier to explore and compromise the network.
The ransomware gang left behind a record of various legitimate remote access tools they installed on commandeered servers and desktops. The attackers initially showed a preference for the ScreenConnect IT management suite, but later switched to AnyDesk, which Brandt and Gunn said was likely an attempt to evade countermeasures on the network.
Security researchers also found RDP, exploit, and brute-force password scanning tools, along with logs recording their successful uses. The gang seemed to want to set up multiple paths through the agency machines to ensure the crew could reconnect if one or more access paths were closed.
So, identifying and acting on unexpected remote desktop or remote command connections could save your organization in the future.
“Unusual dial-up connections, even from legitimate accounts, can be a sign of a possible intrusion,” noted Christopher Budd, director of threat research at Sophos, in an email to The register. “Also, unusual behavior from inside the network, especially the downloading of powerful legitimate tools that are frequently abused by attackers, may be another sign.”
Web searches of cyber criminals have shown that they use government computers to find and install several post-intrusion tools and other types of malware. This included password crackers, crypto-miners, and hacked versions of VPN client software.
Additionally, Sophos found evidence that the gang “used free tools such as PsExec, FileZilla, Process Explorer, or GMER to run commands, move data from one machine to another, and kill or subvert processes that interfered with their efforts”.
Network technicians also made a few mistakes, Sophos noted. In one case, they left a protection function disabled after completing maintenance work. This left some systems vulnerable to interference by intruders, who disabled endpoint security products on servers and some desktops, then installed remote access tools to maintain control of the machines. Then data was stolen.
“With no protection in place, the attackers installed ScreenConnect to give themselves a remote access backup method, then moved quickly to exfiltrate files from file servers on the network to the storage provider in Mega cloud,” Brandt and Gunn wrote.
OK, Google, what malware should I use?
After five months of searching for malware on Google and snooping around the agency’s network, the behavior of criminals has changed “dramatically”, Sophos noted.
Logs showed that they logged in and remotely installed Mimikatz, an open-source tool capable of extracting account usernames and login credentials from Windows systems. The Security Store adds that its antivirus products cleaned up an initial attempt to run this software, but “IT apparently ignored the warning” from the Sophos suite, and further attempts to run from Mimikatz via a compromised account worked.
At this point, the attackers started to act more like professional cybercriminals and Sophos also noted that the locations of IP addresses have expanded. Ultimately, the analysis traced the IP addresses of the gangsters to Iran, Russia, Bulgaria, Poland, Estonia and Canada. Sophos added that these may be Tor exit nodes.
After about five months, the government agency’s IT team noticed that the systems were repeatedly rebooting and “behaving strangely”. He began to investigate and segment networks to protect known machines from the rest.
But the IT team had disabled its Sophos tamper protection while rebuilding the network, and the security vendor said “things got frantic after that.”
On the first day of the sixth month since the start of the intrusion, the cybercriminals ran Advanced IP Scanner, began moving laterally through the network to “several sensitive servers” and used compromised credentials to encrypt the machines with LockBit and send ransom notes.
“Within minutes, the attacker(s) gained access to a large number of sensitive personal and purchase files, and the attackers were hard at work performing another credential dump,” Brandt and Gunn wrote.
The next day, the government agency called Sophos security analysts and began working with them to shut down the servers providing remote access and remove the malware.
“During the investigation,” writes the Sophos duo, “one factor seemed to stand out: the target’s IT team made a series of strategic choices that allowed the attackers to move freely and gain access to internal resources unimpeded.The MFA deployment would have impeded threat actor access, as would a firewall rule blocking remote access to RDP ports in the absence of a VPN connection.
“Responding quickly to alerts, or even warnings about reduced performance, would have prevented a number of attack stages from succeeding. Disabling features such as tamper protection on endpoint security software seemed to be the critical leverage attackers needed to completely remove protection and complete their jobs unimpeded.”
The Sophos description includes a series of Indicators of Compromise collected from this infection that you can search your network for. ®