Sports tracker and navigation software giant Garmin became just the latest high profile victim of the WastedLocker ransomware this week. After seeing critical, customer-facing services for its athlete-customers shut down for days, the company returned to business over the weekend after, reportedly, obtaining the decryption key.
Garmin followed in the footsteps of firms like Orange, Xerox, EDP Renewables and more. You might ask: ‘Why are so many wealthy, sophisticated firms falling for ransomware?’ The answer, in part, is that they and many other firms have not ‘learned the lessons of history,” to quote George Santayana, and so are “condemned to repeat it.”
That’s why the recent tell-all blog post by “Gavin,” a former Maersk security team member is such an interesting read. Unlike more literary accounts of cyber attacks (Kim Zetter’s Countdown to Zero Day about the Stuxnet malware or the more recent book Sandworm by Andy Greenberg come to mind), Gavin’s lengthy account provides an IT administrator’s “fly-on-the-wall” account of the years before and after the June, 2017 NotPetya outbreak, which effectively brought Maersk’s IT operation to its knees and cost the company several hundred million dollars in recovery efforts. As such: it is a rare, public accounting of the conditions that contributed to a successful cyber attack, identifying a number of problems that may ring bells with corporate IT and infosec leaders.
From the Trenches: a Familiar Picture
“Gavin” talks about the challenges of managing IT in a global company with distributed IT infrastructure, competing power centers and a slew of distinct and independent business units. He talks up IT’s many victories, like successfully migrating shared HR systems to the company’s Active Directory environment. And he talks about the challenges: a corporate mindset that looked at IT security as a “cost center” and prioritized cost containment; a legacy of lax management of user privileges that Gavin terms the “Principle of Most Privilege,” a play on the “Principle of Least Privilege” --the recommended practice of assigning only those privileges a user absolutely needs.
“In the race to the bottom, security controls had ultimately suffered and become a secondary concern to delivery,” Gavin writes. “With the historical organisational structures within IT, we had multiple security functions with no clear lead, and limited funding. Cue two years of fruitlessly pushing for privileged access controls.”
This lack of preparation came with a heavy cost, both to Maersk’s balance sheet and to the lives and psyches of employees like Gavin who had to clean up the mess the malware left behind.
Identity Attacks Often a Root Cause
The takeaway from Gavin’s account is a long list of recommendations including six “basics” that companies need to attend to. Those include things like eradicating weak passwords, implementing multi-factor authentication and overhauling user privileges with standards like the Tiered Access Model or something similar. Once “cutting edge,” those kinds of things are now basic blocking and tackling for enterprises in the age of sophisticated ransomware.
What’s more interesting and important is Gavin’s assessment that attacks on identity are at the root of many compromises including ransomware attacks. While firms including Garmin have been tight lipped about the circumstances surrounding their compromise, we know from technical analysis of ransomware incidents that abuse of identity infrastructure like Active Directory is a common component of the attacks. Ransomware gangs use their initial toehold in an environment to steal legitimate user credentials, escalate privileges when necessary, and move across the network in order to place ransomware on sensitive systems.
These more sophisticated methods of subverting products like Active Directory and protocols like Kerberos are central to cyber criminal and nation-state actors’ ability to establish and maintain persistence even within sophisticated, closely monitored IT environments. The fact is: most security monitoring tools and services just aren’t up to the task of detecting attacks against them like so-called “Golden Ticket” and “Silver Ticket” Kerberos forgeries.
Common Exploits, Common Tools
In the case of NotPetya, we know from publicly available analysis of the malware by security firms and accounts of the outbreak by reporters such Wired’s Andy Greenberg that credential theft and account takeovers were part of the mix. NotPetya’s embedded version of the Mimikatz post exploitation tool figured prominently in the malware’s ability to spread within compromised environments like Maersk.
With such tools at their disposal, even moderately skilled adversaries will have no trouble moving within environments with robust privilege management in place. Practically speaking, this means that the ability to detect such account takeovers, credential forgeries and other attacks within your environment when they happen has moved from “nice to have” to “got to have.” (If you need help convincing your internal IT team, encourage them to try out CrackMapExec to see how easy these more stealthy and powerful techniques are to execute.)
Taking the Threat Seriously
It's likely that IT and security team members from Garmin, Orange or other firms struggling to recover from a ransomware outbreak will find lots of familiar refrains in Gavin’s account of life before and after NotPetya hit Maersk. They’ll likely find themselves following many of his recommendations.
However, it can be difficult to assess the effectiveness of cyber defenses in the absence of an actual threat. As the boxer Mike Tyson famously quipped when asked to assess his opponent’s strategy ahead of a big bout: “everyone has a plan until they get hit.” The same observation can be applied well to enterprise IT security.
The lesson of Gavin’s post for organizations is simply to learn the lessons of history: to prepare for what you know you’ll face and take reasonable measures to anticipate what you can’t be sure about. Strong user authentication, deployment of multi-factor authentication and better monitoring of activity on critical identity infrastructure like Active Directory may not prevent compromises, but they will help organizations avoid the kind of crippling and public attacks that make headlines.
If you have questions about securing your Active Directory infrastructure, consider reaching out to QOMPLX for more information on how to stop Kerberos ticket forgeries and other AD threats and attacks.