Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance." "Responding to alerts, or even warnings about reduced performance, promptly would have prevented a number of attack stages from bearing fruit. Deployment of MFA would have hindered the access by the threat actors, as would a firewall rule blocking remote access to RDP ports in the absence of a VPN connection.
"In the course of the investigation,' the Sophos duo worte, "one factor seemed to stand out: the target’s IT team made a series of strategic choices that enabled the attackers to move freely and to access internal resources without impediment. The next day the government agency called in Sophos security analysts, and began working with them to shut down the servers providing remote access and remove the malware. "Within minutes, the attacker(s) had access to a slew of sensitive personnel and purchasing files, and attackers were hard at work doing another credential dump," Brandt and Gunn wrote. On the first day of month six since the start of the intrusion, the cybercriminals ran Advanced IP Scanner, began moving laterally through the network to "multiple sensitive servers" and used compromised credentials to encrypt machines with LockBit and send ransom notes. Ultimately, the analysis traced the gangsters' IP addresses to Iran, Russia, Bulgaria, Poland, Estonia, and Canada. Sophos added these may have been Tor exit nodes.Īround the five-month mark, the government agency's IT team noticed systems were repeatedly rebooting and otherwise "acting strange." It started investigating and segmenting networks to protect the known-good machines from the rest.īut the IT team had disabled their Sophos Tamper Protection during their rebuild of the network, and the security vendor said "things got frenetic after that."
The security shop adds that its antivirus products cleaned a first attempt at running this software, but "the IT department didn't heed the warning" from the Sophos suite, apparently, and additional attempts to run Mimikatz via a compromised account worked.Īt this point, the attackers started acting more like professional cybercriminals and Sophos also noted the IP address locations expanded.
The logs showed that they remotely connected and installed Mimikatz, an open-source tool that can extract account usernames and login credentials from Windows systems. OK, Google, what malware should I use?Īfter five months of Googling malware and poking around on the agency's network, the criminals' behavior changed "dramatically," Sophos noted. "With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega," Brandt and Gunn wrote. This left some systems vulnerable to meddling by the infiltrators, who switched off endpoint security products on the servers and some desktops and then installed remote-access tools to maintain control of the machines. In one case, they left a protective feature disabled after finishing maintenance work. The network's technicians made some blunders, too, Sophos noted.
This included password brute-forcers, crypto-miners, and pirated versions of VPN client software.Īdditionally, Sophos found evidence the gang "used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts."
The cybercriminals' web searches showed they used the government computers to find and install several post-intrusion tools and other types of malicious software.
'Precursor malware' infection may be sign you're about to get ransomware, says startup."Also, unusual behavior from within the network, specifically downloading powerful legitimate tools that are frequently abused by attackers can be another sign." "Unusual remote access connections, even from legitimate accounts, can be a sign of possible intrusion," Sophos Director of Threat Research Christopher Budd noted in an email to The Register.