Cyber criminals have increasingly shown a willingness to “play the long game,” where they can gain access to a computer network, and then spend months (or longer) before actually conducting an attack. That can include browsing for IT administration tools that can be used to further breach systems.
This month, cybersecurity researchers at Sophos announced that they had discovered that a group of unknown threat actors spent at least five months “poking around” within a network of regional U.S. government agency systems. According to behavioral log data, two or more such cyber criminal groups may have been active before one of the groups deployed a Lockbit ransomware payload earlier this year.
“This was a very messy attack. Working together with the target, Sophos researchers were able to build a picture that started with what appears to be novice attackers breaking into the server, poking around the network and using the compromised server to Google a combination of pirated and free versions of hacker and legitimate admin tools to use in their attack. They then seemed unsure of what to do next,” Andrew Brandt, principal security researcher at Sophos, explained in a statement.
“About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray. These attackers went on to attempt to uninstall security software,” Brandt added. “They eventually stole data and encrypted files on several machines by deploying Lockbit ransomware.”
The researchers at Sophos determined that the initial point of access for the attack was an open remote desktop protocol (RDP) port on a firewall that was configured to provide public access to a server. The attackers successfully breached the server in September 2021, and then used a browser on the breached server to search online for the tools to use for hacking and attempted to install them.
According to the Sophos report, the attackers’ behaviors only changed significantly in mid-January, with signs of more skilled and focused activity. That included an attempt to remove the malicious cryptominer and uninstall security software, taking advantage of the fact that the target had inadvertently left a protective feature disabled after completing maintenance. The attackers were then able to collect and exfiltrate data, while they also deployed the Lockbit ransomware.
Fortunately the ransomware attack had only limited success, and the attackers failed to encrypt data on some machines. However, the fact that the threat actors spent months on the systems remains a matter of concern.
“This case is a compelling reminder that while stories about APT’s and zero-day attacks dominate the news, many cyberattacks come from relatively unsophisticated individuals taking advantage of simple errors or easily avoided misconfigurations,” said Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel.
“In this case, there were many failures by the organization that were the equivalent of rolling out the red carpet to the attackers,” Clements told ClearanceJobs via an email. “Leaving RDP access open to the internet is extremely risky. Automated bots routinely scan the entire internet for open RDP servers to brute force with common accounts and passwords.”
In this particular situation the attackers essentially “lucked” into guessing credentials for an account that was not only an administrator on the exposed system, but also had administrator rights to the entire network. This shows that the weakest link remains human error.
The situation could have been far worse as a result.
“This would have been an immediate game over situation for any experienced attacker, but the initial attacker here appears to have been extremely inexperienced,” Clements continued. “There’s not much of a silver lining here, but this fact does seem to limit the exposure during the extended timeframe the perpetrator had access. The fact that the attacker was able to compromise an administrative system account likely means that a relatively simple password was in use. ”
Multiple Threat Actors
One of the more disconcerting aspects of this particular story is that multiple threat actors may have played a role in this breach. As noted, it wasn’t initially the result of a sophisticated effort. Rather it appears that a low-level, less technically adept group found access, and likely provided the access to the agency computer network to a more skilled team.
“It is not uncommon for bad actors to remain in systems for extended periods of time undetected, however, in this case, it appears that the bad actors may have sold or passed off access to the system to a much more talented group in the end. Remote access portals and tools remain a popular way to gain an initial foothold on networks, almost as popular as using phishing emails, and once in the system, it can be difficult to remove them,” explained Erich Kron, security awareness advocate at KnowBe4.
“In this case, a myriad of things went wrong, from misconfigurations to ignored clues that the server was compromised, leading to the eventual deployment of ransomware,” Kron told ClearanceJobs. “While the reason for the attack may remain unknown, due to the lack of tool preparation and the initial activity on the server, in this case, it appears to have been a target of opportunity as opposed to a targeted attack.”
Failure to Notice
The other bewildering fact in this attack is that it went on for so long, completely unnoticed. It could be argued that the hacking group did everything right, while the cybersecurity teams guarding the network weren’t on the ball.
“The goal of the hacker is to stay persistent in the victim’s enterprise,” said Garret Grajek, CEO of cybersecurity research firm YouAttest. “In this way they can laterally move across the network and discover resources worth exfiltrating and/or ransoming. Given that hackers are playing the ‘long game’ – the hackers are willing to ‘go slow’ as they explore the enterprise.”
However, security personnel should be able to detect anomalies in traffic behavior and identify changes. Yet, Grajek warned that 73% of hacks start with and identity compromise, while the hackers usually start with easy to obtain compromised user credentials and then work to elevate their privileges for the purpose of persistence and communicating back to the hacker home base.
“It is these identity and permission changes that need to be detected,” Grajek told ClearanceJobs.
“Any time a device or server is accessible from the internet, it is important to ensure that it is monitored for unusual activity and locked down properly,” Kron added. “This includes monitoring for brute force attacks against the device, locking down internet access, especially from browsers, and ensuring that access is monitored as well.”
It bears repeating that lax security practices will result in the same outcomes – a breached network.
“To remain safe from cyberattacks from attackers of any experience level takes an organization adopting a true culture of security,” suggested Clements. “Personnel from executive leadership down all need to understand the risks they face, and all do their part to keep the organization safe by dedicating the resources for protection, detection, and response. It takes acknowledging that effective cybersecurity is hard to do well and takes skilled personnel, adequate tools, and broad awareness training to maintain a resilient organization.”