REELING FROM INFECTION BY UNKNOWN THREAT VARIANTS, A MAJOR U.K. ENTERPRISE MISSES WHAT THE ATTACKERS WANT NEXT: CREDENTIALS
Reactive, not predictive – an attacker’s paradise.The Head of IT’s story
Head of IT, Tasneem, was battling a highly visible internal crisis: the appearance on employees’ screens of a ransom note holding the business’s data hostage, with a demand for Bitcoin payment to release it.
Tasneem didn’t yet know it, but as we saw in Episode 1, the ransom note had been activated by the Ryuk ransomware exploit that had infected the company’s networks off the back of a new variant of the Emotet ‘dropper’ software.
Not that Tasneem cared much about those details at the moment. All she and her team were focused on was working out whether they had the data backed up to get the business back on its feet again, and how quickly they could restore it onto the network.
In fact, she and her team were so urgently focused on finding a reactive remedy to the attack that the more effective predictive response – what additional malicious activity could the attack be hiding? Where was it going next? What was it likely to do there, and had it in fact already got there? – never got a look in.
And, of course, the attack had already got there. Because at the same time as ransomware was throwing the enterprise into a flat panic, subsequent investigations revealed all the tooling necessary to steal critical login credentials and other data in the background – noiselessly, and free from any scrutiny whatsoever.
What information did the attackers go after – and how?
As reported in Episode 1, Reliance acsn’s incident response investigation found evidence that the enterprise’s network had been infected by a form of the banking trojan Trickbot.
But this variant was clearly enterprise-focused, having been extended to include several additional modules used to gather and extract passwords and login credentials from enterprise applications and browsers including Microsoft Outlook, Internet Explorer (Edge), Google Chrome, Firefox, FileZilla and others.
The initial behaviour discovered by Reliance acsn saw the loading of task scheduler COM API in addition to the disabling or deletion of Windows Defender, with additional files appearing in the registry to enable privilege escalation.
These included DLLhost.exe and Powershell, the latter of which executed several scripts to create files that eventually migrated (once the permissions were achieved) to a specific single file path (C:\Windows\system32\config\systemprofile\AppData\Roaming\), with the malicious files contained in a folder called NetSf.
What this pointed to was the Trickbot variant’s advanced ability to inveigle its way into the enterprise’s host machines by disabling the machines’ security software defences and then, once there, to operate them as it wished with complete impunity – avoiding detection and suspicion at every stage.
It was the perfect tool to exploit the classic behaviour of an IT team in a security incident – so determined to close the front door on one attack that they didn’t check the back door and the windows for others.
“My mail’s been hacked! Oh God, so has my Salesforce…” – Chris’s story
As if he hadn’t had enough IT mishaps this week, Chris got a call from his wife to tell him she’d been receiving some unpleasant images from his personal Gmail account. That had upset him a bit.
But it was when three of his biggest accounts called him separately one morning and each told him his work email account was pumping out pornography that he thought this ransomware thing might somehow have grown arms and legs.
It was confirmed when he logged into Salesforce and found that much of his customer data had been erased.
What else was this damned thing going to screw up next? Chris was having a terrible week.
Why did Chris get hit this way?
The Reliance acsn team found that the Trickbot variant contained a specific module (importdll65) whose main purpose was to steal browsing history, cookies and browser plugin data.
As Chris was using Salesforce in a plugin, his login details could have been compromised – and the attackers would have had carte blanche to access the application through his account and wreak havoc in it!
“We’re for ****** sale on the ****** Dark Web?” The CEO’s story.
For CEO Doug, bad news just couldn’t come any thicker and faster than it had over the last few days.
First, his internationally renowned logistics enterprise had been infected by a ransomware attack that had cut it off from the data it needed to operate and survive – and it had caught the security software (and his IT team) with its pants down.
Then – pants up and now clutched very tight – the IT guys were making heavy weather of restoring the backup data onto the networks, with Tasneem telling him “file and folder data” (whatever the hell that meant) was coming through OK but “image data” (huh?) – well, not so much.
Bottom line: the ransomware attack was still stopping his people from doing their jobs (not least his senior manager Chris, whose risky email behaviour under pressure had triggered the infection in the first place) and his business from making a profit. In fact, they were now suffering mounting revenue losses daily.
And now he hears from the Reliance acsn guys – who he’d pulled in to try and make sense of what Tasneem and her team couldn’t – that they’ve been robbed, too!
“You didn’t get hit by one attack”, the security analyst told him. “You got hit by two. Whilst the ransomware was keeping your IT team busy, a trojan in the background was accessing your people’s login credentials and other confidential information”.
Doug blinked. “Accessing?” he said. “Is that as far as it goes?”
“Probably not,” the analyst replied, “We believe applications, browsers and their users have been widely compromised across the entire enterprise. We’ve identified some technology that would allow the information to be exfiltrated – stolen – and sent to some very suspect places.”
Doug’s civility had worn thin. “You mean to tell me that in addition to having a gun held to our head, we’re now for ****** sale on the ****** Dark Web?” he blurted. “Logins to our company email? Salesforce? MailChimp? Our social media accounts?
“It’s one possibility amongst many,” the analyst confirmed.
How could the credentials be exfiltrated from the enterprise?
Once the Reliance acsn team had established that login credentials and similar information were the Trickbot variant’s target, they set out to find evidence of suspicious network traffic that would likely signal an exfiltration route – and they quickly found it.
By gathering network packet capture samples on infected machines, the team observed communication to two suspicious IP addresses – 18.104.22.168 and 22.214.171.124 – using port 449. Threat intelligence data indicated that previous Trickbot campaigns had utilised port 449 for data exfiltration.
The destination of the information looked suitably suspect, too. The SSL certificate exchange resolved to a company called Internet Widgets Pty Ltd., and was used for communication with command and control servers.
The team had also previously seen this spoofed certificate being used for the Dyre banking trojan, which is closely related to Trickbot.
In short, Doug’s worst fears had been confirmed: the enterprise’s login credentials – and much other confidential data besides – could now be accessed, stolen, and sent where they should never go.
The irony of the fact that two separate attacks could each take control of his enterprise’s data but his IT team couldn’t was not lost on him.
Episode 3 takes it to the next level.
Miss Episode 1? Read it here