Sophos to the Rescue: Hackers spend months inside a network; nobody noticed

This is a somewhat lengthy read, but it is interesting. Sophos comes to the rescue against some ransomware bad guys and provides some great insight to the cost of carelessness in managing a network. It shows that even IT professionals are human and make mistakes, too!

Here’s the way this story starts off. Apparently, some newbie hackers somehow got inside a government agency network. Spent months there undetected. This is an unnamed regional government agency, and the incident was analyzed by our good friends at Sophos. According to them:

“In an attack where unknown threat actor groups spent at least five months poking around inside the network of a regional US government agency, behavioral log data suggests that two or more such groups were active before the final group deployed a Lockbit ransomware payload earlier this year.

Throughout the period attackers were active on the target’s network, they installed, then used Chrome browser to search for (and download) hacking tools on the “patient zero” computer, a server, where they made their initial access. Though the attackers deleted many Event Logs from machines they controlled, they didn’t remove them all.”

So they initial group actually installed Chrome on the system and shopped for hacking tools right there on the infected system itself. And they didn’t failed to remove all their own event logs. There’s more:

“Sophos was able to piece together the narrative of the attack from those unmolested logs, which provide an intimate look into the actions of a not particularly sophisticated, but still successful, attacker.”

Reconstructing what happened

For instance, the logs recorded that the attackers installed various commercial remote-access tools on accessible servers and desktops. They appeared to prefer the IT management tool ScreenConnect, but later switched to AnyDesk in an attempt to evade our countermeasures. We also found download logs of various RDP scanning, exploit, and brute-force password tools, and records of successful uses of those tools, so Windows remote desktop was on the menu, too.

In addition to various custom scripts and configuration files used by hacking tools the attackers installed, we found a wide variety of other malicious software, from password brute-forcers, to cryptominers, to pirated versions of commercial VPN client software. There was also evidence of the attackers using freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts.”

Adding to the problem, technicians responsible for managing the network left protective features disabled after completing maintenance. Resultingly, some systems were vulnerable to sabotage by attackers. These attackers disabled endpoint protection on the servers (which is bad) and some desktops. With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega (which is really bad).”

Here’s the kicker

Over time, the attackers’ methods changed. In some cases so drastically it seemed as though an attacker with very different skills had joined the fray. The nature of the activity recovered from logs and browser history files on the compromised server gave Sophos the impression that the threat actors who first broke in to the network weren’t experts, but novices. Not only that, they may later have transferred control of their remote access to one or more different, more sophisticated groups. Groups who, eventually, delivered the ransomware payload.

Attackers will often delete log data to cover their tracks, and this incident was no exception. The attackers manually deleted nearly all log data about a month prior to investigator discovery. However, a deeper forensic dig indicates that the initial compromise occurred nearly half a year before investigators opened their case. The way they got in was nothing spectacular: straight in through RDP ports on a firewall that was set up to provide public access to a server.

Amateur night

Sophos analysts did a little detective work by searching the undeleted browser and application history logs. They developed a picture of a network ill-equipped to resist this type of attack. And also of attackers who seemed to have done little preparation for what to do beyond gaining initial access.

The forensic traces left behind seem to paint a picture of a novice attacker doing a bit of on-the-job training. They attempted tool installation (after Googling the tools), opened random text files, and ran a surprising number of speed tests. But not moving toward a particular goal or operating with great urgency.

However…

In the fifth month of the infiltration, the attacker behavior dramatically changed. After a three-week hiatus, logs indicate that an attacker remotely connected and installed the password-sniffing tool Mimikatz. Sophos protections saw it happen, and cleaned a first attempt at infection. Unfortunately, the IT department didn’t heed the warning, and the attacker’s later attempt to run Mimikatz was successful. It was done through a compromised account. Incidentally, the attackers also attempted to gather credentials using a different tool called LaZagne.)

Now for the REAL bad news

The credential-dumping application worked. Within a couple of days, the attackers had a password.txt file on the admin-level accounts they’d created on the compromised server. This marks a turning point in the investigation. At this point, presumably, any account that had logged into the troubled server was indeed compromised, credentials exposed.

And something else happened. The day the passwords.txt file appeared, someone decided to do a bit of tidying up. The initial threat actor, or a newer threat actor, visited websites looking for instructions to uninstall a malicious coinminer. One that, earlier, had been installed on the beleaguered server. The attacker also spotted the Sophos endpoint installation and tried (unsuccessfully) to remove those as well. They tried a variety of tools like GMER and IOBit Uninstaller.

Suddenly, over four months after the initial compromise, the behaviors of the attackers become crisper, more focused. But also, the locations of the malicious visitors have expanded. IP-address traces indicated connections from both Estonia and Iran. Ultimately the compromised network would host malicious visitors from IP addresses that geolocate to Iran, Russia, Bulgaria, Poland, Estonia, and… Canada. But these IP addresses may have been Tor exit nodes.

Things start to heat up. Even more

Right around this time, the target’s IT department noticed that the systems were “acting strange.” They were repeatedly rebooting, possibly by the threat actor’s direct command shortly after destroying the event logs. The IT department investigated and ultimately took five dozen servers offline while they built network segmentation designed to protect known-good devices from the others. However, to cut down on distractions, the IT department disabled Sophos Tamper Protection.

Things got a bit crazy after that. The last ten days of the infection were full of moves and countermoves between the attackers and the IT department. On the eighth day, Sophos’ team entered the fray. Through the end of the last calendar month of the attack, a steady stream of table-setting activities took place. The attackers dumped account credentials, ran network enumeration tools, checked their RDP abilities, and created new user accounts. This, presumably, to give themselves options in case of interruption in subsequent attacks. The logs were wiped multiple times and machines restarted during this period.

Eventually, the attacker made their big move. They ran Advanced IP Scanner and almost immediately beginning lateral movement to multiple sensitive servers. Sophos protections knocked down several new attempts at malicious file installation. But compromised credentials allowed the attacker to outflank those protections.

Within minutes, the attacker(s) had access to a slew of sensitive personnel and purchasing files, and attackers were hard at work doing another credential dump.

The next day, the target engaged with Sophos. Labs analysts identified the 91.191.209.198:4444 as a phone-home address with related shellcode. Over the course of several days, the IT team and Sophos guys collected evidence. Then they quickly shut down servers that provided the attackers with remote access. After that, they worked to remove the malware from the unencrypted machines.

Fortunately for the target, on at least a few machines, the attackers didn’t complete their mission. Sophos found files that had been renamed with a ransomware-related file suffix, but that had no encryption. Cleanup in those cases just involved renaming the files to restore their previous file suffixes.

Here’s the takeaway

In the course of the investigation, one factor seemed to stand out: The target’s IT team made a series of strategic choices that enabled the attackers to move freely and to access internal resources unimpeded. Multi-factor authentication would have hindered the access by the threat actors. So would a firewall rule blocking remote access to RDP ports in the absence of a VPN connection.

Also, responding to alerts, or even warnings about reduced performance, promptly would have prevented a number of attack stages from bearing fruit. Disabling features like tamper protection on endpoint security software seems to be the critical lever for the attackers to completely remove protection and complete their jobs unhindered.

The ransomware bad guys added a help wanted ad into their ransom note. Maybe that was supposed to be funny. But it’s wise for insiders with access to sensitive information refrain from committing crimes by helping ransomware threat actors.

You can read more on this story, but the takeaway is that the best security isn’t much good if its’ turned off. Simple carelessness is a human trait though, and we are all prone to it. That’s one of the reasons solutions like Sophos Intercept X with MDR are such a good fit for enterprise and government organizations.

Corporate Armor has a long relationship with Sophos, and we know from experience that they are an excellent IT security innovator across the board. Whether you are thinking about firewalls, access points, EDR, XDR, and MTR, or whatever else, you won’t go wrong with Sophos. So why not reach out to us, or call 877-449-0458? Thanks for reading!