IT Security Teams Face Challenges in Identifying Threats

IT security teams are bombarded daily with a multitude of security alerts and events. They must sift through the noise to piece together the puzzle of potential threats and anomalous or suspicious activity, determining whether they are dealing with legitimate actions or intruders with malicious intent. However, what happens when one or more of the puzzle pieces are missing?

Real-Life Ransomware Incidents Highlight Security Gaps

Two different, real-life ransomware incidents targeting manufacturing companies highlight what can occur when a company’s security cover is incomplete.

Incident #1: Play Ransomware Attack

The security blind spots in this incident included compromised domain admin credentials, an unprotected server not visible to security cover, and the misuse of legitimate, commercially available IT tools.

At approximately 1:00 a.m. on a Tuesday night, attackers exploited the credentials for a domain admin account to breach an unprotected remote desktop server belonging to their target. The lack of security cover meant that the anomalous activity on the domain controller went unnoticed.

The attackers then attempted to establish persistence by installing a remote monitoring and management application on the unprotected server, allowing them to control their target from a distance. They used commercially available tools to try to obtain a list of credentials and move laterally through the network. This activity brought them to the attention of security tools, which promptly killed the malicious activity.

The attackers then tried to disable and manipulate security measures and delete copies of files – a common precursor to the release of ransomware. This activity was also detected and blocked.

At 3:20 a.m., the attackers tried to execute Play ransomware and encrypt several devices. By 3:23 a.m., this attempt was shut down when the targeted endpoints were isolated from the network.

With full security cover, the attack could have been neutralized hours earlier.

Incident #2: Akira Ransomware Attack

The security blind spots in this incident included unprotected devices on the network, a VPN without multifactor authentication (MFA), and a ‘ghost’ account created for a third-party vendor that was not deactivated when the vendor left.

At some point before the main attack – another middle of the night incident – the attackers obtained the credentials to a ‘ghost’ account that had been set up by the target for a vendor and not deactivated when the vendor left. The attackers used this to connect to the target’s network via an open VPN channel that didn’t have MFA in place.

The attackers were spotted as they tried to move laterally across the network using information stealer malware and a hacking method that can circumvent passwords to gain access to a computer system. The malicious activity was blocked, but the attackers carried on. When they realized that endpoint protection was deployed on devices throughout the network, they tried to disable the endpoint security.

After this failed, they shifted the focus of their attack to an unprotected server from where they planned to launch the rest of the attack, well away from the visibility and restrictions of the installed endpoint security. The attackers were able to elevate their privileges to administrator-level and leverage that to execute the ransomware stage of the attack an hour later.

The attackers first executed the ransomware on the unprotected server and then tried to remotely encrypt devices they could reach through the network. Security tools quickly spotted the attack and isolated the targeted devices. Within four minutes, it was all over for the ransomware.

Conclusion: The Critical Need for Full Spectrum Security

These incidents illustrate how cyberattacks have become increasingly multi-stage and multi-level, with attackers ready to pivot and adapt to changing or unexpected circumstances, hunting down and exploiting any areas that are left unprotected and exposed.

Incomplete security cover can help attackers gain access to networks and remain under the radar until they decide to move laterally. It can enable them to prepare and launch different phases of the attack from devices that can’t be scanned and monitored by security tools.

The best protection against such attacks is comprehensive, layered defenses with integrated and extended visibility. This should be accompanied by a robust focus on cybersecurity basics. For example:

• Always enforce MFA, especially on VPN accounts that are accessible externally.
• Implement a password policy to rotate credentials regularly to avoid stale passwords.
• Regularly audit active user accounts and disable any that are no longer in use.

The integration of network, endpoint, server, cloud, and email security through XDR enables an unprecedented level of threat detection and response capability. With a comprehensive XDR solution, every corner of the IT infrastructure, and from emails to cloud applications, is monitored and protected with advanced security measures, a full spectrum of defensive tools, combined with proactive threat hunting and response strategies. This allows for swift action and minimizes the window of opportunity for threat actors.

The author is Adam Khan, VP Global Security Operations, Managed XDR, Barracuda.

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.