Keeping a watchful eye on your internet-facing devices is crucial, considering their susceptibility to threat actors. These gateways, exposed to the world, become prime targets for adversaries searching for exploitable vulnerabilities. In this blog post, we explore a real-life incident where Cyberseer’s expertise played a crucial role in detecting, responding to and resolving a ransomware attack on a client’s internet-facing infrastructure.
Amid the onboarding of a new customer, Cyberseer identified an intrusion on an internet-facing device. The adversary, displaying lateral movement capabilities and persistence, prompted swift action from Cyberseer analysts. Their timely escalation led to a comprehensive investigation, device containment, and collaboration with the client’s Incident Response (IR) team.
Cyberseer analysts first identified the attack when the Administrator account initiated a remote interactive session to an endpoint, shortly followed by the execution of multiple different suspicious tools and processes such as Process Hacker and a Port scanner.
A Cyberseer analyst detected command line activity for the automim credential dumping suite in the process event tree; something that Cyberseer has seen in past intrusions.
"C:\WINDOWS\System32\cmd.exe" /C "C:\PerfLogs\automimNew\1.Automim.bat"
After running the automim scripts, the intruder then attempted to use Reg.exe to force WDigest to store credential secrets in plaintext, so that the automim credential dumping tools could dump in plaintext.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /f
Due to the asset type affected, client approval was essential before isolation, therefore Cyberseer analysts escalated to the customer to get their approval, and then promptly isolated the affected device and any other devices touched by the Administrator account.
Due to the ongoing customer onboarding, Cyberseer faced limitations and were not ingesting all the logs required for post-compromise investigation. The client was advised to investigate signs of post-compromise, such as checking the DC, account management activity, and file activity.
While the client was investigating multiple hosts that did not have the approved corporate EDR (Endpoint Detection & Response) product, they identified “rclone” a common exfiltration tool used in ransomware attacks, as well as the following tools and artifacts that Cyberseer have identified in previous ransomware attacks:
Data exfiltration tools
Ransom files (Figure 1)
Malware droppers
Credential dumping tools/scripts
Trojan scripts (Figure 1)
Defense evasion scripts (Figure 1)
IMAGE
Figure 1 – Cl0p Ransomware artifacts discovered on one of the devices.
After the initial incident was resolved, the adversary returned once again using a different method of intrusion on another internet-facing device.
A week after the initial intrusion, Cyberseer analysts were alerted to suspicious web connections and processes on an SQL server that had an EDR agent installed. This activity was automatically detected and escalated to an analyst by the Cyberseer ASPECT platform.
The intruder leveraged a Remote Code Execution (RCE) exploit in the Backup Exec Agent (BE Agent), which is part of the Veritas cloud backup and recovery solution. The agent used SHA authentication by default, which could be remotely exploited to gain unauthorised access to the BE Agent. This enabled the attacker to execute arbitrary OS commands on the host system, with “NT AUTHORITY/SYSTEM” or “root” privileges, giving the intruder full access to the affected system.
The intruder exploited the vulnerability, executing commands and processes to move laterally, maintain persistence, drop payloads and exfiltrate data.
Focusing on one of the commands run by the remote attacker, we can see them using bitsadmin as a dropper to download further files and execute them. Cyberseer analysts, were quick to capture the suspicious files and identify the Anydesk application, as seen in Figure 2. The actual file download was blocked but an alert was still raised to an analyst for review.
Figure 2 - Screenshot of the malicious file hosted by the adversary.
AnyDesk is a legitimate remote desktop application that is often used as a remote access tool (RAT), providing attackers with remote access to a compromised host.
It is important to understand what tools are deployed and how they are used by clients. Cyberseer analysts work closely with clients to build client-specific knowledge. The use of Anydesk was a red flag for this specific client as the analysts knew it was not used by them; the attempted download from an untrusted source was further cause for concern.
The affected device was a SQL server hosting critical business databases which increased the urgency of the situation. Cyberseer analysts once again required client approval before containment given the potential impact on business operations. The incident was immediately escalated to the client to request this approval.
This incident highlights the effectiveness of Cyberseer’s tailored 24x7 managed threat detection and response service at identifying and containing real threats.
It also emphasises the pivotal role of robust Endpoint Detection and Response and Security Information and Event Management (SIEM) solutions in combating ransomware, enabling on-demand response and containment to prevent data exfiltration and block malicious processes and access before encryption could occur.