News Ticker

Australian made concussion diagnosis device exported to US
Climate Impact Corporation announces 10GW renewable hydrogen projects in South Australia and Northern Territory
Over 30 trades represented at 47th WorldSkills International
Securing OT  key to unlocking Australia’s manufacturing vision in an ever-growing threat landscape
Australian astronaut Katherine Bennell-Pegg to headline international space symposium in Brisbane
The Budget 2024: Comment and Feedback on Energy Policies
Hunter class frigate program passes Preliminary Design Review milestone
Decarbonising our cities

Two ransomware incidents highlight how attackers target security blind spots

By Barracuda Networks

IT security teams are bombarded daily if not hourly with security alerts and events.

They need to cut through the noise to piece together the puzzle of potential threats and anomalous or suspicious activity to decide whether they are looking at legitimate actions or intruders with malicious intent. What happens when one or more of the puzzle pieces are missing?

Two different, real-life ransomware incidents targeting manufacturing companies and mitigated by Barracuda Managed XDR  highlight what can happen to a company when their security cover is incomplete.

Incident #1: A Play ransomware attack

The security blind spots: compromised domain admin credentials, unprotected server not visible to security cover, the misuse of legitimate, commercially available IT tools

At approximately 1:00 a.m. on a Tuesday night, attackers exploited the credentials for a domain admin account to breach an unprotected remote desktop server belonging to their target. The lack of security cover meant that the anomalous activity on the domain controller went unnoticed.

The attackers then tried to establish persistence by installing a remote monitoring and management application on the unprotected server so that they could control their target from a distance.

The attackers used commercially available tools to try to obtain a list of credentials and move laterally through the network. This activity brought them to the attention of security tools which promptly killed the malicious activity.

The attackers then tried to disable and manipulate security measures and delete copies of files – a common precursor to the release of ransomware. This activity was also detected and blocked.

At 3:20 a.m. the attackers tried to execute Play ransomware and encrypt several devices. By 3:23 a.m. this attempt was shut down when the targeted endpoints were isolated from the network.

With full security cover the attack could have been neutralised hours earlier.

Incident #2: An Akira ransomware attack

The security blind spots: unprotected devices on the network, a VPN without multifactor authentication (MFA), a ‘ghost’ account created for a third-party vendor and not deactivated when the vendor left.

At some point before the main attack – another middle of the night incident – the attackers got hold of the credentials to a ‘ghost’ account that had been set up by the target for a vendor and not deactivated when the vendor left.  The attackers used this to connect to the target’s network via an open VPN channel that didn’t have MFA in place.

The attackers were spotted as they tried to move laterally across the network using information stealer malware and a hacking method that can circumvent passwords to gain access to a computer system. The malicious activity was blocked, but the attackers carried on. When they realised that endpoint protection was deployed on devices throughout the network, they tried to disable the endpoint security.

After this failed, they shifted the focus of their attack to an unprotected server from where they planned to launch the rest of the attack, well away from the visibility and restrictions of the installed endpoint security.  The attackers were able to elevate their privileges to administrator-level and leverage that to execute the ransomware stage of the attack an hour later.

The attackers first executed the ransomware on the unprotected server and then tried to remotely encrypt devices they could reach through the network. Security tools quickly spotted the attack and isolated the targeted devices.  Within four minutes it was all over for the ransomware.

Conclusion: The critical need for full spectrum security

These incidents illustrate how cyberattacks have become increasingly multi-stage and multi-level, with attackers ready to pivot and adapt to changing or unexpected circumstances, hunting down and exploiting any areas that are left unprotected and exposed.

Incomplete security cover can help attackers gain access to networks and remain under the radar until they decided to move laterally. It can enable them to prepare and launch different phases of the attack from devices that can’t be scanned and monitored by security tools.

The best protection against such attacks is comprehensive, layered defenses with integrated and extended visibility. This should be accompanied by a robust focus on cybersecurity basics.  For example:

  • Always enforce MFA, especially on VPN accounts that are accessible externally.
  • Implement a password policy to rotate credentials regularly to avoid stale passwords.
  • Regularly audit active user accounts and disable any that are no longer in use.

The integration of network, endpoint, server, cloud, and email security through XDR enables an unprecedented level of threat detection and response capability.

With a comprehensive XDR solution, every corner of the IT infrastructure, and from emails to cloud applications, is monitored and protected with advanced security measures, a full spectrum of defensive tools, combined with proactive threat hunting and response strategies.

This allows for swift action and minimises the window of opportunity for threat actors.

 

 

 

 

Share this:

Related Posts