We’re always on the lookout for interesting research on cyber threats, including ransomware. So we were particularly interested to read an account by researchers for Sophos’s Rapid Response team this week on the malware known as Netfilim (aka Nemty), a particularly nasty example of the human-directed ransomware we’ve written about before.
[ If you want to learn more about how QOMPLX can help your company spot signs that may signal a Active Directory or authentication compromise, contact our team now. ]
Ransomware: the Final Red Flag
The write up by Michael Heller over on Sophos’s site calls attention to a trend that we’ve also noted: the long fuse on human-directed ransomware attacks. In worst case scenarios like the one described by Sophos, the emergence of ransomware isn’t the start of an attack, but its denouement.
“Ransomware is the final payload in a longer attack,” Peter Mackenzie, the manager for Rapid Response is quoted as saying “It is the attacker telling you they already have control of your network and have finished the bulk of the attack.”
As Mackenzie’s quote suggests: the key to preserving operational integrity is spotting the signs of an emerging attack early—not just before adversaries have had a chance to deploy ransomware but, ideally, before they have even determined where it should be placed. To do that, organizations need to be able to spot the early warning signs of an human-directed ransomware campaign.
Achilles Heels: Remote Access and Ghost Credentials
What are those? The Sophos write up on Nefilim gives us a good list to work from. As we see in many sophisticated attacks—ransomware or no—the attack starts with an initial compromise of public-facing assets. In this case, the Netfilim actors compromised a Citrix remote-access server, which was running software with four known-exploitable CVEs at the time of the incident. Sophos couldn’t isolate which of the CVEs was exploited to gain access to the system but, really, it doesn’t matter so much which one they used. What matters is they got in.
Targeting a remote-access server isn’t surprising. Sophisticated adversaries have made a habit of looking for exposed and vulnerable VPN concentrators and other remote-access systems in recent years. And, with the COVID-19 pandemic stranding millions of workers at home, there are just more of these around. At the same time, it is harder for IT staff to monitor a vastly increased population of remote workers. As we noted in September, for example, a report by CISA, the US Government’s lead cybersecurity agency, found that the hack of an unnamed federal agency probably started with the exploitation of a known flaw in the Pulse VPN server.
In short: if you have a vulnerable remote-access server that’s exposed to the Internet, that is a “10 out 10” risk for your organization you should address immediately. Even as you address it, you should be assessing whether or not malicious actors noticed the exposed asset before you did and took advantage.
What’s more interesting in the Sophos case: the administrator whose account had been stolen in the initial compromise passed away months before the compromise. In other words, not only was that person no longer with the company, they were no longer alive. Ordinarily, such accounts would be removed. However, the victim firm Sophos describes kept this account active because a number of network services were linked to it. Practically, that just meant that account activity continued after the individual who owned the account was no longer active. At the very least, that decision complicated Sophos’s efforts to weed out malicious activity associated with the account after it was compromised. The lesson here is that accounts needed to support critical services need to be service accounts, not accounts linked to people. Because people… die.
The Usual Suspects: Mimikatz, Cobalt Strike, PowerShell
After gaining control of a local administrator account, the attackers used Mimikatz to lift credentials for a domain administrator account that were stored on the compromised machine. The threat actor then used Remote Desktop Protocol (RDP) logins to maintain access to the initial admin account used in the attack. As is often the case in human-directed ransomware campaigns, the attackers “lived off the land,” using native Windows tools like PowerShell and RDP as well as dual-use tools such as Cobalt Strike to move laterally, conduct reconnaissance on the network, identify hosts to target and gain control over additional network hosts, Sophos wrote.
In this case, attackers stole a significant amount of data before deploying the ransomware. Sophos said the Netfilim group used the file transfer and synchronization application MEGA to do that. They also used Windows Management Instrumentation (WMI), via the compromised domain admin account, to distribute the Netfilim binaries to around 100 targeted systems. This, too, is an example of “living off the land” because it used ordinary administrative tools to distribute the destructive payload.
Bad Hygiene, Missed Opportunities
Sophos’s excellent write-up is interesting: it re-frames the ransomware problem, encouraging IT admins to think of ransomware outbreaks not as the first sign of trouble, but the final, glaring red flag. Beyond the headache of cleaning up ransomed systems, organizations who have had outbreaks now need to walk back from the point of disruption to uncover signs of what is likely a much larger and longer-lasting incident, one in which attackers have been dwelling in their environments for months or years. That mind-shift is important, and long overdue.
The account of the Netfilim outbreak by Sophos also underscores the wisdom of the basic Active Directory hygiene and monitoring that QOMPLX and other organizations have long advocated.
Back in June, for example, we published a blog on the 10 Active Directory Health Checks You Should Know. If you review that in light of the details of the Netfilim outbreak that Sophos describes, you’ll spot a number of controls that—if adopted by the victim organization—likely would have stopped the attack in its tracks. Among them:
- Using Logon Type 3 Network Logon or other methods to ensure that sensitive administrative account credentials are not stored on LSASS or disk when sessions are established. Use of this control may have prevented the attackers from stealing domain administrator credentials from the initial compromised system.
- Disabling or deleting forgotten or inactive accounts. As we noted in June, forgotten accounts are common in large and complex AD environments and increase the attack surface available to a threat actor already on the network. In this case, an administrator account for an employee who was no longer active was hijacked. Moving linked services from that user account over to a service account may have prevented attackers from establishing their initial toe-hold on the network.
- Deploying authentication monitoring tools such as QOMPLX’s Identity Assurance to identify attempts to forge credentials or elevate access in appropriately. In this case, attackers used Mimikatz to obtain domain administrator credentials. As we’ve seen, threat actors increasingly target critical control infrastructure such as Active Directory. Monitoring the integrity of authentication transactions, by efficiently detecting tactics such as Golden Ticket and Kerberroasting, is essential.
The disruption caused by ransomware can be extraordinary. However, as Sophos blog post indicated, the methods to thwart ransomware gangs are often entirely ordinary. We hope that more organizations will take that message to heart, and shore up their network defenses using these common-sense tactics.
QOMPLX Can Help
As companies work to assess their own exposure to threats like ransomware, QOMPLX stands ready to assist them in assessing whether their Active Directory environment may have been compromised and, if necessary, to establish “ground truth” in their environment and begin recovering from the incident.
If you want to learn more about how QOMPLX can help your company identify and thwart attacks on Active Directory including Golden Ticket Attacks and Kerberoasting, contact our team now to set up a discussion with QOMPLX security practitioners.