Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up
Novice hackers who didn’t know what they were doing spent months inside a government agency network without being detected – before higher-skilled attackers came in after them and launched a ransomware attack.
Analysis of the incident at an unspecified US regional government agency by cybersecurity researchers at Sophos found that the amateur intruders left plenty of indicators they were in the network. Yet despite a lack of subtly and leaving a trail behind, they weren’t detected because what Sophos researchers describe as “strategic choices” made by the IT team that made life easy for them.
The attackers initially broke into the network using one of the most popular techniques deployed by cyber criminals – breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall. It’s uncertain how the password itself was breached, but common methods include brute-force attacks and phishing emails.
They also got lucky, because the compromised RDP account wasn’t only a local admin on the server, but also had domain administrator permissions, allowing the account to be exploited to create admin accounts on other servers and desktops.
But despite all this power, the intruders didn’t seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, then following pop-up ads to pirated software downloads.
Researchers say this left the server riddled with adware and the hackers unintentionally infecting the servers they controlled with malware. The victim organisation didn’t notice any of this was happening.
Log data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines. This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing cryptomining malware on the compromised servers.
“This was a very messy attack,” says Andrew Brandt, principal security researcher at Sophos. “They then seemed unsure of what to do next”.
But after four months, the attacks suddenly became more focused and more sophisticated. Following a three-week hiatus with no activity, attackers remotely connected and installed the password-sniffing tool Mimikatz in order to gain access to additional usernames and passwords, storing them all in a text file on the desktop of admin-level accounts they created.
These attackers also looked to remove the coinminer which had previously been installed and attempted to uninstall antivirus software on endpoints. It’s likely that the higher sophistication of the attacks mean new intruders had gained access to the network.
“When you see an abrupt change in both goals and skill level in an attack like this, in which the original ingress point is at that point still open as it was in this case, the safe bet is that another attacker has entered the space” says Brandt.
It was at this point the IT department noticed something strange was happening, taking servers offline to investigate – but in order to do this, they also disabled some cybersecurity protections – and the attackers took advantage.
The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a ransomware attack, which fully encrypted some of the machines on the network with LockBit ransomware. But the attack didn’t affect all the machines and the IT department, with the aid of Sophos analysts, were able to clean up and restore services.
However, the whole attack could’ve been prevented if better cybersecurity strategies were in place, as attackers were able to freely enter and move around the network without being detected – particularly as measures were implemented to improve efficiency rather than improving cybersecurity, even when it was clear the organisation was under attack.
“Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,” researchers said in the blog post.
Applying multi-factor authentication to user accounts would have helped prevent them from being exploited and login notifications would’ve provided a warning that something suspicious was under way.
Meanwhile, properly monitoring the network would’ve had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and laid the foundation for a ransomware attack.
“Defenders have to keep watch on their network, whether in-house or through a managed-services partner. Keeping an eye out for smaller oddities or incidents – even something as simple as someone logging into a system at odd hours or from an unusual location – can make the difference,” said Brandt.
MORE ON CYBERSECURITY