Criminals investigated hacking TTPs after breaching a “chaotic” cyberattack
According to the Sophos researchers who investigated and eventually contained the “messy” attack, malicious actors broke into the servers of a US regional government agency and then used them for five months to search for hacking and IT management tools that could could further their goals.
Researchers today shared details of the long-running cyberattack on the undisclosed client, in which the attackers ultimately exfiltrated the victim’s data and deployed Lockbit ransomware. They believe it is possible that several different attackers have infiltrated the vulnerable server.
“It was a very chaotic attack. Working together with the target, Sophos researchers were able to paint a picture that began with seemingly inexperienced attackers breaking into the server, poking around the network and using the compromised server to google a combination of pirated and free versions by hackers and legitimate admin -Tools they can use for their attack. They then seemed unsure of what to do next,” said Andrew Brandt, senior security researcher at Sophos.
The initial access point appears to have been through an open RDP (Remote Desktop Protocol) port on a firewall that has been configured to allow public access to the server. This happened in September 2021.
As already mentioned, the attackers then searched for hacking tools online with a browser on the attacked server, which they then tried to install. In some cases, their searches led them to “shady” downloads that also installed malicious adware on the compromised server.
Some of the tools they tried to install were Advanced Port Scanner, FileZilla, LaZagne, mimikatz, NLBrute, Process Hacker, PuTTY, Remote Desktop Passview, RDP Brute Forcer, SniffPass, and WinSCP. They also tried using commercial remote access tools, including ScreenConnect and AnyDesk.
“Unless a member of the IT team downloaded them for a specific purpose, the presence of such tools on computers on your network is a red flag of an ongoing or impending attack,” Brandt said.
“Unexpected or unusual network activity, such as B. a computer scanning the network are another such indicator. Repeated failed RDP logins on a computer that is only accessible from within the network is a sign someone is using a brute force tool to try to move laterally – as are active connections from commercial remote access tools that the IT team hasn’t installed or used in the past but hasn’t used in a while.”
In January 2022, the attackers changed tactics and showed signs of more skilful and focused activity. A previously deployed malicious cryptominer was removed, as was the server’s security software – the target had inadvertently left a protection feature disabled after a previous round of maintenance. They were then able to steal data and use Lockbit, although the ransomware was only partially successful.
Brandt suggested that this change in tactics could indicate that a separate group was meddling of its own accord, or that access was resold in some way. “About four months after the initial attack, the nature of the attack activity changed, in some cases so drastically as to suggest that attackers of very different skill sets had joined the fight,” he said.
“A robust, proactive, 24/7 defense-in-depth approach will help prevent such an attack from gaining traction and spreading. The most important first step is to prevent attackers from gaining access to a network in the first place — for example, by implementing multi-factor authentication and setting firewall rules to allow remote access to RDP ports in the absence of a VPN To block [virtual private network] Connection.”
Saryu Nayyar, CEO and Founder of Gurucul said that with dwell times in some cases exceeding 250 days, threat actors are much better able to hide their activities from traditional sSecurity Information and Event Management (SIEM) or Advanced detection and response (XDR) tools designed to identify patterns over shorter time periods.
She said it’s virtually impossible for a security team to manually piece together seemingly disparate indicators of compromise (IoCs) over weeks or months, and something most current solutions struggle with.
“Companies need to look for more advanced tools that link disparate events over time using analytics and adaptive and trained machine learning models, not just simple correlation or rule-based fixed machine learning,” she said.
“In addition, included threat content (unfortunately, most companies charge a fee for out-of-the-box automated threat detection), network traffic analysis to identify unauthorized external communications, and real-time baselining and analysis of user and entity behavior can be used to uncover how anomalous behaviors are actual Security threats related to an attack campaign. This changes the game in that it allows security teams to be proactive instead of reactive,” Nayyar said.