In November alone, 6 companies contacted us to resolve ransomware problems in the corporate network. Ransomware was launched manually. So instead of the usual ransomware that comes by email and someone opens it by clicking on it, this time, it was downright hacked into the company network and then the malware fot distributed manually.
The number of attacks is about 3 times higher than usual. I would even dare to say that hackers need to “earn extra” for Christmas, so they work overtime. 😊
Companies that contact us are often in a very difficult situation because:
- have no data (sometimes even backups),
- have no idea where the attack came from (ie everything can be repeated),
- do not know whether or not the hacker is still active on the network (there is a risk that the situation will get worse),
- cannot determine what has been compromised,
- do not know whether backdoors were left on the network (the attacker can return).
Even though, only rarely would an IT specialist say that his network is poorly secured. They usually think that everything is all right (probably because they haven’t had an incident in the last 10 years).😊 They are even more puzzled once their network is attacked by a ransomware. According to the interviews, I think that the primary problem is ignorance of what such a hacker is capable of and how he works (if I omit the occasional professional inflexibility or lack of interest in the field).
Therefore, I would like to share my experience in dealing with hacking attacks with you. I would like to add, to clarify, that I write about common criminal hacking groups making money through ransomware. Not about APT groups (their interests and modus operandi are different). 😊
What hackers can do
Hackers think. Unlike spam ransomware (meaning ransomware that spreads by mail and the “only” thing it does after startup is that it encrypts all the data it reaches). They are thus able to respond to the identified information, combine it in various ways, improvise and control unknown applications. For this reason, their attacks are much more devastating. While the spam ransomware doesn’t recognize your backup system, the hacker has no problem to do so and it doesn’t matter what software you use (they are always controlled similarly, and are called “backup XYZ”).
Hackers know that if a company is to pay a ransom, they must encrypt both their data as well as their backups. Therefore, they often search for these and deliberately delete/encrypt them too. Many administrators do not expect this, so they have no scenario prepared for this situation (that’s why I write about it). 😊
They attack at night and on weekends
The hackers I meet are most often from the East – Russia, Asia (according to the found artifacts and revealed IP addresses). Most likely because of the low probability that someone will ever be brought to justice (they deliberately do not attack within their country / friendly countries).
They attack most often during the night (which is also helped by different time zones) and on the weekends. In my opinion, it is since most companies are not working or have limited staff. So there is little probability that they will be spotted on the network (either their presence or gradual data encryption). Usually, they are finished within a few hours.
How do they infiltrate the network
I would still say that it is true that hackers do not choose their victims according to the person you are, but whether you have “trends“ in your vulnerability (something they are currently abusing). Therefore, the qualification criterion “to be hacked” is most often:
- a bug on a publicly available service detected
- leaked credentials (from some hacked third-party service)
- spear phishing
- email backdoor
- or my favorite – attack through a partner organization (hackers have learned to attack IT outsourcing companies – I may write the next article about that).
VPN is not an obstacle
Many companies are constantly trying to protect their perimeter – the interface between the internal network and the Internet. It is needed, but it does not check off all of the security boxes. Hackers can control VPN clients as well. 😊 It is common for a hacker to connect to and attack from a VPN with retrieved credentials.
Alternatively, if they manage to smuggle backdoors into the network, they most often communicate via the HTTPS protocol. This one is usually allowed. And as it is an encrypted connection, the router can not see its contents (unless you have some form of SSL inspection).
They will be able to navigate in a foreign network in a few tens of minutes
You may think that your network is so complicated that it will take hours to navigate. But the hacker’s goal is not to “document your rack”, but to quickly identify important servers/devices. Being this is their daily task, they can do it in a few tens of minutes.
With split tunneling VPNs, they obtain internal IP ranges directly from the VPN server. However, they can always contact the assigned DNS servers, find out the domain name from LDAP and then ask for the addresses of all DC servers. This gives them the few subnets that are used in the network.
Followed by a quick network scan – ping + selected ports (telnet, SSH, HTTP, HTTPS SMB, LDAP, MSSQL, RDP) – they get a quick overview of what and where is running, including device names (SMB, other banner protocol, or reverse DNS). The naming convention will then let them know what the device is and what its importance is.
How to hack the first PC
They most often get to the first computer with the credentials they have already used for a VPN. What devices are the data paired with will be verified by the software in a matter of few minutes (eg CrackMapExec). Another simple and fast option is to aim for non-updated devices that are exploitable via EternalBlue or BlueKeep.
It is also possible to download a list of users from AD (just a regular domain user account) and try password spraying or wordlist password guessing. Administrators would write down the account password in the “description” field from time to time, which is publicly readable. But these are more-or-less theoretical things. Not because they were complicated or didn’t work. However, in the vast majority of cases, that I have seen, hackers have acquired the first computer/server with the procedures above.
Gradual network control
Each device hackers penetrate, they try to find additional credentials to help them control other parts of the network. They use Mimikatz By default (it retrieves passwords from memory for users that are currently logged in, have stored passwords in the credential manager, and hashes of local user accounts), or WebBrowserPassView (to read passwords stored in the browser).
Likewise, they scan files, that users store on their desktop/documents, installed programs,… and if they find something interesting like VNC, logged-in TeamViewer, open password manager, they will use it. That´s enough for them to master the entire Active Directory.
Ransomware is coming and aiming for data
Once they have sufficient control over the entire network, they begin to prepare to deploy ransomware. Therefore, they select the devices/servers from which the ransomware will be released. It encrypts data on the device and subsequently on all network drives that the ransomware finds and has the right to write (including administrative shares – ie C$ and others). However, there are still 2 problems to solve – antivirus and systems that are running.
As the ransomware is often well known, antiviruses tend to detect it. That, of course, doesn’t suit hackers. Hackers often try to uninstall, break or make antivirus exceptions from the servers/workstations they run ransomware on. In case they encounter a central antivirus console, they uninstall it in bulk all across the network.
There are only running systems (SQL databases, mail servers, virtual servers, backup systems) to take care of now, as they often have data files open, and these are locked to themselves and thus the ransomware would not be able to encrypt them. Hackers often stop these services and turn off their automatic launch.
Turning off services stops many processes. Hackers risk being identified and their attack stopped. Therefore it´s a very time-sensitive job. Hackers mostly run ransomware from multiple locations to encrypt as much data as possible and continue encryption even when one of the infected servers is down.
REAL-LIFE TIPS. As a side effect of the procedure described above, some data may be encrypted multiple times. In this case, it is necessary to negotiate the terms with the attacker right at the beginning, otherwise, you will end up paying the ransom several times. 😉
What else can they do
If you are a network administrator, you may already have shivers on your back. However, the attackers still have few tricks up their sleeves.
They often leave a backdoor on a few devices during the attack and watch your network thrive. The problem occurs when you start restoring. Either you will begin to encrypt the recovered data again. Or, if hackers haven’t gotten across the network yet, they can take advantage of your carelessness. Once you start connecting to different systems (such as backups) to start recovering, they steal your login credentials and finish their work.
Similarly, if they find that you are using a monitoring system, a form of remote management, or have credentials to other networks while moving across your network, they will probably abuse it. According to current trends, hackers are attacking SMEs (IT outsourcing companies), because one hacked company leads to tens or even hundreds of customers. This tactic can be observed more and more often in the world and I would like to devote the next article exactly to this topic.
Hackers often get paid in a form of ransom, and as a result, they are getting more professional and constantly improving. That is why we, the defenders, must not fall asleep and must strive to get ahead.
In case you are thinking about defense, look at the tech and procedures we use with us and our customers (I have already written an article about most of them). I will be pleased if they manage to help you:
- We use fewer technologies thanks to the standardization and our monitoring system, which is easier to monitor, can be set up more securely and thus the likelihood of a forgotten, unsecured/outdated device appearing is greatly reduced.
- Thanks to tiering there are fragmented environments both with us as well as the customers, so we are making it more difficult for a hacker to move across the network, and we know what systems need a higher form of security.
- We are not only restricting networks but also trying to have monitoring/detection mechanisms (see security life cycle), which will notify us in a timely manner and help track down the network intrusion and any affected devices.
- Backups are being created using numerous technologies and we try to make them in such a way, that they cannot be deleted/modified from the customer’s network.
- We try to have a unique and sufficiently long password for each device. Our passwords are secured with a password administration system.
- And most importantly, as we enjoy the work we do, we try to do things properly and to educate ourselves constantly. 😊
Do you agree with the article? Do you have a similar experience? or have you encountered different hacker behavior than what I have described? Do you have any other ideas for defense? I look forward to reading your comments.👇