Welcome to The 4n6Guard Chronicles!
Hi there! Thanks for stopping by. We share in-depth cybersecurity incident analyses. Each edition will bring you real-world stories, expert insights, and actionable recommendations to help you stay ahead of the ever-evolving cyber threats. If you’re new to our community, please consider subscribing and we look forward to navigating the complex world of cybersecurity together.
The company names mentioned in The 4n6Guard Chronicles are fictional, and the case studies have been modified to protect the identity of the victims. Names marked with an asterisk (*) indicate fake names used for this article. However, the impact of these cybersecurity incidents is serious and serves as a stark warning to take proactive steps to protect your company’s data. The scenarios discussed are based on real-world events and are intended to provide valuable insights and actionable recommendations to enhance your cybersecurity posture. Always consult with cybersecurity professionals to address specific needs and vulnerabilities unique to your organization.
Incident analysis case study
This case study contains three (3) sections:
- Incident Overview: provides a comprehensive overview of the victim’s IT setup, shedding light on potential vulnerabilities and weaknesses that can be or were exploited by threat actors (TA).
- Vector of Compromise or Root Causes: Provides the precise methods attackers used to infiltrate systems and the underlying issues that allowed these breaches to occur. However, in some cases, the exact mechanism may not be discovered by the limitation of the victim’s environment. In these cases, a hypothesis will be posited as the potential cause of the incident.
- Tailored Recommendations: Expert advice on how to enhance the organization’s cybersecurity posture, with specific recommendations tailored to the type of incident covered. These recommendations may or may not be currently implemented within your company environment but should provide actionable insights.
Incident Overview
Background
XYZ Company Inc.’s (“XYZ”) IT infrastructure consisted of a blend of legacy and modern systems, an internal employee network and critical daily operations applications. XYZ uses three Windows Server 2012 R2 Standard servers and Windows 7 Professional workstations, with Remote Desktop Protocol (RDP) enabled for remote work. They relied on a standard Windows-based environment with Active Directory for user management, and an external IT consulting company managed their IT systems.
XYZ has no established standard password policy, and employees generally leave their workstations unlocked. Additionally, there is no regular patch management or system update schedule, leading to vulnerabilities due to outdated software. Despite being aware of these issues, management did not prioritize or allocate resources toward addressing these security gaps.
Incident
On Thursday, June 20, 2024, at 9:00 am EDT, the Finance Manager, Alex Wright*, logged into their Windows 7 Professional workstation and was prompted with: “All files on the system have been encrypted” and was unable to open applications needed to process payment transactions for the company. Alex raised an alert, and the external IT consulting company responsible for managing XYZ’s IT infrastructure was contacted to address the unresponsive applications. The external IT consulting company promptly investigated the issue and informed XYZ’s executive that their systems had been infected with ransomware displaying the file extension “abc123_123”. Subsequently, a Cybersecurity Consulting firm was engaged to investigate and identify the root cause of the incident.
Vector of Compromise
During the investigation, it was discovered that the compromise was a result of a Windows Server having a publicly accessible RDP port enabled; coupled with improper password hygiene, which led to a threat actor brute-forcing the account and ultimately gaining access to the administrator’s account. Once gaining access, the threat actors disabled local security tools, placed their toolkit on the system, and immediately began reconnaissance.
With the administrator account, the threat actor now had leverage in the environment and as part of their tactic, created two (2) other administrator accounts called “sys_admin” and “backup_adm”. Due to XYZ’s lapses in maintaining proper security controls or audits, the newly created accounts were overlooked facilitating the threat actors’ presence within the environment.
With a foothold in the environment, the threat actors executed the malicious toolkit ‘mimikatz.exe[1]’ which among many uses, captures password hashes stored in memory. These hashes are taken offline and brute-forced to get the plaintext password, or they are used to authenticate in what is known as a pass-the-hash attack[2]. In this case, the execution created two files ‘Pass.txt’ and ‘1.txt,’ and used the harvested credentials to continue their reconnaissance.
As part of the attack, the threat actor placed several malicious files in the root directory of the compromised server which was specifically stored in this directory to keep it accessible for future use. It is common for threat actors having access to the victim’s computer to place files within standard directories like ‘Program Files’ or ‘Users’, or within system folders or other hidden directories.
In this case, forensic artifacts relating to 26 executables were discovered, presumably used in this attack, however, the threat actor later removed their malicious files from the system, thus eliminating the opportunity for reverse-engineering malware analysis. The lack of important artifacts strongly suggests that the threat actor had knowledge of anti-forensics techniques and likely utilized them in an attempt to conceal their illicit activities and impair system defences. It was discovered that the threat actor cleared the Windows event logs and other system logging resources. This is a common ploy in ransomware attacks to limit data that can be leveraged for detection and audit.
The threat actor then searched local system sources, such as file systems or local databases, to find files of interest and sensitive data before exfiltration, which was likely to have occurred. The threat actor was also observed accessing sensitive client data from XYZ’s main File server. In many cases, potential data access is identified through the network share path to various folders, providing a clear indication of which files were accessed during the incident timeline. These accessed files can be used to identify compromised data.
In this incident, the threat actor utilized a common open-source tool, “invoke-sharefinder[3]” as part of their attack strategy. The “invoke-sharefinder” tool was first leveraged to identify file shares in the environment and, the identified file share was then mapped to the Windows Server that was used as the initial entry vector. The threat actor then stages data for exfiltration by using the tool 7-zip to create archives of the Accounting and HR folders from the File server. Once the staged archives were ready, they then used the tool “MegaSync.exe[4]” to connect to a Mega[.]nz account likely to facilitate data exfiltration. The archive files were not accessible at the time of examination but artifacts from the 7-zip execution suggest that the total size of the archives was approximately 18GB.
Often, to confirm data exfiltration the firewall logs are vital to determine whether data left the network and would be used to provide an accurate count of the volume of data that was exfiltrated. XYZ’s environment did not have an external-facing firewall that recorded this type of information, resulting in an inability to confirm the amount of data that left the environment. The evidence of staging and the use of the tool megasync does suggest that exfiltration likely took place.
Just minutes after the potential exfiltration, the threat actor initiated the data encryption process via ransomware. Within seconds of the malicious execution, the ransomware placed a ransom note in each of the account directories and traversed through the network via mounted shared drives. The malicious file uses a random name extension “abc123_123“, which is appended to all files and included in the ransom note. The content analysis of the ransom notes revealed that the threat actor used an exploit that followed the sequence of well-known “Ransomware” attacks and utilized similarities from the ransom note associated with a Ransomware-as-a-Service (“RAAS”) group.
This RAAS group is known for the use of its antiforensic tools and techniques and is reputed for exfiltrating data and leaking it on the dark web if a ransom demand is not satisfied.
Even though there was insufficient logging available for analysis, typical Windows systems retain lots of data that can still be leveraged to answer burning questions as was observed in this analysis. In this case, there were logging limitations due to the Threat actor’s antiforensic actions such as log clearing and there was also a lack of telemetry within XYZ’s environment that could have assisted in providing more data for review.
Lessons Learned
Many companies, not unlike XYZ Company Inc., are unaware of their current security posture and remain vulnerable to similar cybersecurity attacks. Some common attack vectors include unsecured public-facing RDP, legacy operating systems, vulnerable VPN\Firewall appliances, phishing emails and websites, and brute-force attacks to accounts unprotected by MFA. This is by no means an exhaustive list but is an important reminder that companies must budget for cybersecurity hardening to reduce their attack surface and limit the chances that similar attacks will affect them.
From this incident, it’s evident that a proactive approach to cybersecurity is essential. Organizations must focus on their desires to implement comprehensive security measures. On the other hand, the frustrations arising from reactive approaches highlight the dire consequences of being unprepared, often resulting in operational disruptions; addressing fears of data breaches, financial losses, and regulatory non-compliance is crucial.
The lack of proactive measures can leave organizations vulnerable and struggling to recover from cyber incidents. These fears, driven by potential reputational damage, financial repercussions, and legal issues, underscore the need for proactive security measures. These steps are vital in fortifying against emerging threats, mitigating risks, and ensuring operational integrity.
The 4n6 Analyst’s article underscores the importance of understanding cybersecurity desires, frustrations, and fears. It highlights the need for proactive measures, such as thorough security assessments, incident response plans, and regular incident playbooks and tabletop exercises, to fortify organizations against emerging threats.
For a detailed exploration, read the full article.
Exploring Cybersecurity Desires, Frustrations, and Fears
The following recommendations were tailored for XYZ’s infrastructure following the DFIR review and were implemented by the XYZ team to reduce their attack surface and limit a recurrence:
Recommendations
1. Implement a Security information and event management (SIEM) solution. The biggest challenge during this incident investigation was gathering and analyzing logs. Many logs were not being collected; those stored locally were manipulated or deleted by the Threat Actor trying to hide their tracks.
2. Introduce Network Segregation or Segmentation. XYZ’s network devices are in a single “flat” network, meaning that workstations, servers, and other devices can all communicate freely with one another.
3. Implement Internet Restrictions at the Server Level. Limit outbound connections to the Internet. Only very few approved and documented external IP addresses (e.g., connections for Windows updates, Webroot updates, etc.) should be allowed to communicate with production servers.
4. Enforce 2FA Across All Admin Accounts. At a minimum, Two or more factors of authentication be introduced for admin accounts as soon as possible. Ideally, every user in the company should use 2FA or better to communicate via any service that is exposed to the Internet.
5. Enforce User Account hardening standards. Ensure all accounts meet password best practices: Password policies should have the following properties: minimum password length, enforce password history, minimum password age, create email notifications for when passwords are about to expire and enable password complexity.
Sources:
[1] https://www.sentinelone.com/cybersecurity-101/mimikatz/
[2] https://www.beyondtrust.com/resources/glossary/pass-the-hash-pth-attack
[3] https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
[4] https://blog.reconinfosec.com/megasync-analysis
