If there’s one thing that’s worse than being compromised by ransomware, it’s realizing that the hack that led to the ransomware compromise happened months earlier without being spotted.
For attackers, this is called achieving persistence, and is considered the holy grail of malware techniques because it allows criminals to widen their net and undermine even more systems and data.
Frustratingly, the world rarely gets to see how the factor of time affects networks in much detail. A recent research note by security company Sophos is a welcome exception to this, revealing unsettling aspects of how a persistent compromise affected an unnamed U.S. Government agency.
The ransomware involved in the attack was LockBit, a sophisticated ransomware-as-a-service (RaaS) platform active since 2019.
LockBit is a potent enough threat to have earned it an FBI flash warning earlier this year outlining its indicators of compromise (IOCs).
Using log evidence, Sophos discovered that the attack happened in phases, the first of which started after attackers crawled in through an open RDP port.
The attackers quickly installed their own remote access and brute password tools, plus a grab bag of other software including cryptominer, a VPN client, and freeware tools used to bypass security clients and move data around.
They were able to disable endpoint protection after an engineer working for the agency left an unspecified protection mechanism inactive during maintenance. A second blunder was that the compromised RDP server came with domain administrator permissions for Active Directory.
It could have been worse if the attack had been more sophisticated—the attackers didn’t seem to have much of a plan with how to exploit the access, and left enough log data for Sophos to conduct extensive forensics. They even used risky public file sharing websites, clicking on fake download pop-ups, creating “unintentional self-infections created additional noise in the logs,” said Sophos.
After five months of access, things took a turn for the worse when what Sophos believes to be a new and much more sophisticated attacker suddenly appeared.
The new hackers ran the LaZagne password capture tool, which compromised multiple credentials as they were used by legitimate users to log in.
“Things got frenetic after that. The last ten days of the infection were full of moves and countermoves made by the attackers and the IT department. On the eighth day, Sophos’ team entered the fray.”
Outflanked at various turns, the defenders were now racing to stop a full-blown ransomware attack. Ultimately, they were largely successful—machines encrypted by the attackers were eventually restored.
The most important takeaway here is that the hackers who compromise a network are not always the ones who eventually launch the attack. It’s likely that some attackers now specialize in compromising “low-hanging-fruit”-type targets with weak security, setting up persistence before selling that access to more seasoned ransomware operators.
According to Sophos, it would also help if defenders used authentication to protect important servers and set up firewall rules stopping RDP ports from being accessed without using the organization’s VPN.
Another glaring lesson is to not run networks in which it’s possible for attackers to hide for five months without that being detected.
Security companies measure the ability to detect an attack by a metric called mean time to detect (MTTD). That is supposed to be hours, minutes, or even seconds. Handing the enemy months to play with is asking for disaster.
That means setting up and understanding how to use logs to spot anomalies, as well as any attempts by an attacker to cover their tracks by deleting them. This isn’t an easy job—combing logs has been compared to cleaning up after a party when you don’t know where the guests have made a mess or broken something. But it could be that good log forensics is all that stands between you and having your network sold to the highest bidder.