Attackers of varying levels of skill were involved at different times, yet numerous indicators of compromise had been ignored.
In Sep 2021, an open remote desktop protocol (RDP) port on a firewall that was configured to provide public access to a server was exploited by hackers. A Chrome browser on the breached government server was then used to search online for a mix of administration and hacking tools to be used later on in the breach.
In some cases, the search for tools led the attackers to shady download sites that delivered adware to the hacked server, instead of the tools they were looking for. The attackers deleted many event logs from the machines they controlled, but they did not remove them all.
In mid-January 2022, the lurking attackers took advantage of the fact that the target had inadvertently left a protective feature disabled after completing maintenance. The attackers then collected and exfiltrated data and deployed Lockbit ransomware. The ransomware attack had limited success and the attackers failed to encrypt data on some machines.
A messy attack
According to Andrew Brandt, Principal Security Researcher, Sophos which released details of the incident they contained: “This was a very messy attack… that started with what appears to be novice attackers breaking into the server, poking around the network and using the compromised server to (search for) a combination of pirated and free versions of hacker and legitimate admin tools to use in their attack. They then seemed unsure of what to do next.”
About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray, said Brandt. “These attackers went on to attempt to uninstall security software. They eventually stole data and encrypted files on several machines by deploying Lockbit ransomware.”
The tools the attackers tried to install for malicious purposes included Advanced Port Scanner, FileZilla, LaZagne, mimikatz, NLBrute, Process Hacker, PuTTY, Remote Desktop Passview, RDP Brute Forcer, SniffPass, and WinSCP. The attackers also installed commercial remote access tools, including ScreenConnect and AnyDesk.
Multiple IOCs ignored
Sophos reminds readers that the presence of such tools is a red flag for an ongoing or imminent attack. Unexpected or unusual network activity, such as a machine scanning the network is another such indicator. Repeated RDP login failures on a machine only accessible inside the network is a sign someone could be using a brute-force tool to try to move laterally. Similarly, active connections from commercial remote access tools that the IT team did not install or use recently are an indicator of attack.
“A robust, proactive, 24/7 defense-in-depth approach will help to prevent such an attack from taking hold and unfolding. The most important first step is to try to prevent attackers from gaining access to a network in the first place, for example by implementing multi-factor authentication and setting firewall rules to block remote access to RDP ports in the absence of a VPN connection,” Brandt added.