Lockbit ransomware operators spent nearly six months in a government agency’s network, deleting logs and using Chrome to download hacking tools, before eventually deploying extortionware, according to Sophos threat researchers.
About a month before the unnamed US regional government agency began investigating the intrusion, the cybercriminals deleted most of the log data to cover their tracks.
But they didn’t delete every log nor their browser search history, which meant they left some crumbs behind.
“Sophos was able to piece together the narrative of the attack from those unmolested logs, which provide an intimate look into the actions of a not particularly sophisticated, but still successful, attacker,” the security shop’s Andrew Brandt and Angela Gunn wrote this week in an analysis of the attack.
Other organizations can hopefully learn something from this intrusion to avoid a similar fate. For two things, using multi-factor authentication on accounts, and limiting remote-desktop access to, say, authenticated VPN connections, may have helped.
According to Sophos, the miscreants broke in via a remote desktop protocol (RDP) service: the firewall was configured to provide public access to an RDP server. As Sophos researchers noted, the point of entry is “nothing spectacular.” It’s not said exactly how the miscreants got in – via brute-forcing a weak password, using a stolen credential, tapping up a rogue insider, or exploiting a security bug, for example – but we’re told the intruders managed to hijack a local administrator account on the server that also had Windows domain admin privileges, which would make exploring and compromising the network simple.
The ransomware gang left behind a record of various legit remote-access tools they installed on commandeered servers and desktops. At first, the miscreants showed a preference for ScreenConnect IT management suite, but then they switched to AnyDesk, which Brandt and Gunn noted was likely an attempt to evade countermeasures on the network.
The security researchers also found RDP scanning, exploit, and brute-force password tools, along with logs recording their successful uses. The gang appeared to want to set up multiple paths into the agency’s machines to ensure the crew could connect back in if one or more access routes were closed.
Thus, identifying and acting on unexpected remote-desktop or remote-command connections could save your organization in future.
“Unusual remote access connections, even from legitimate accounts, can be a sign of possible intrusion,” Sophos Director of Threat Research Christopher Budd noted in an email to The Register. “Also, unusual behavior from within the network, specifically downloading powerful legitimate tools that are frequently abused by attackers can be another sign.”
The cybercriminals’ web searches showed they used the government computers to find and install several post-intrusion tools and other types of malicious software. This included password brute-forcers, crypto-miners, and pirated versions of VPN client software.
Additionally, Sophos found evidence the gang “used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts.”
The network’s technicians made some blunders, too, Sophos noted. In one case, they left a protective feature disabled after finishing maintenance work. This left some systems vulnerable to meddling by the infiltrators, who switched off endpoint security products on the servers and some desktops and then installed remote-access tools to maintain control of the machines. Next, data was stolen.
“With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega,” Brandt and Gunn wrote.
OK, Google, what malware should I use?
After five months of Googling malware and poking around on the agency’s network, the criminals’ behavior changed “dramatically,” Sophos noted.
The logs showed that they remotely connected and installed Mimikatz, an open-source tool that can extract account usernames and login credentials from Windows systems. The security shop adds that its antivirus products cleaned a first attempt at running this software, but “the IT department didn’t heed the warning” from the Sophos suite, apparently, and additional attempts to run Mimikatz via a compromised account worked.
At this point, the attackers started acting more like professional cybercriminals and Sophos also noted the IP address locations expanded. Ultimately, the analysis traced the gangsters’ IP addresses to Iran, Russia, Bulgaria, Poland, Estonia, and Canada. Sophos added these may have been Tor exit nodes.
Around the five-month mark, the government agency’s IT team noticed systems were repeatedly rebooting and otherwise “acting strange.” It started investigating and segmenting networks to protect the known-good machines from the rest.
But the IT team had disabled their Sophos Tamper Protection during their rebuild of the network, and the security vendor said “things got frenetic after that.”
On the first day of month six since the start of the intrusion, the cybercriminals ran Advanced IP Scanner, began moving laterally through the network to “multiple sensitive servers” and used compromised credentials to encrypt machines with LockBit and send ransom notes.
“Within minutes, the attacker(s) had access to a slew of sensitive personnel and purchasing files, and attackers were hard at work doing another credential dump,” Brandt and Gunn wrote.
The next day the government agency called in Sophos security analysts, and began working with them to shut down the servers providing remote access and remove the malware.
“In the course of the investigation,’ the Sophos duo worte, “one factor seemed to stand out: the target’s IT team made a series of strategic choices that enabled the attackers to move freely and to access internal resources without impediment. Deployment of MFA would have hindered the access by the threat actors, as would a firewall rule blocking remote access to RDP ports in the absence of a VPN connection.
“Responding to alerts, or even warnings about reduced performance, promptly would have prevented a number of attack stages from bearing fruit. Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance.”
Sophos’ write-up includes a series of indicators-of-compromise gathered from this infection for you to scan for on your network. ®