The attackers hacked into the network of a US regional government agency and hid in the network for six months before deploying the LockBit ransomware, Sophos researchers have found.
The intrusion involved a seemingly novice attacker who gained initial entry before handing over control to a more sophisticated threat actor who deployed ransomware.
The attacker searched for free hacking tools using the compromised server, sometimes self-infecting themselves with adware from dubious download sites.
Additionally, they tried to maintain persistence by creating user accounts and installing free and commercial remote access tools.
Government agency compromised through open Remote Desktop Protocol ports
The SophosLabs researchers said there was nothing spectacular about the compromise method. The attackers gained first entry into the government agencies network in September 2021 through open RDP ports on a network with a firewall configured to provide public access to the server.
Sophos says the government agency’s security team made strategic mistakes that allowed attackers to spread laterally and gain access to internal resources. This happened after a technician disabled Sophos’s tamper protection during a maintenance procedure.
“With no protection in place, the attackers installed ScreenConnect to give themselves a remote access backup method, then moved quickly to exfiltrate files from file servers on the network to the storage provider in Mega cloud.”
The Sophos research team said that deploying MFA and creating firewall rules blocking remote access to RDP ports would have stopped the threat actor.
The hacker uploaded various tools for scanning, brute force passwords, file management, command execution and a cryptominer. The use of freeware such as PsExec, FileZilla, Process Explorer, and GMER was also evident in the compromised government agency network.
Additionally, the attackers installed free and pirated versions of commercial remote access tools such as ScreenConnect in the first stage and AnyDesk in the later stages of the attack.
Sophos Labs senior security researcher Andrew Brandt painted a picture of a confused newbie hacker with no urgency or plan on how to proceed.
Hence, they would leave the system idle for days including holidays. For the most part, the attacker was just snooping around and creating a few accounts on the initial entry machine or others.
“The hacker’s goal is to remain persistent in the victim’s business,” Garret Grajek, CEO of You attest. “That way they can move laterally across the network and discover resources worth exfiltrating and/or ransoming. Since hackers are playing the “long game”, hackers are willing to “go slow” when exploring the company. ”
The attacker relied on Google search and shady download sites infested with adware and unwanted programs. Sophos said unintentional self-infections add noise to the logs. Other activities included opening random files and performing speed tests on the compromised system.
Chris Clements, Vice President of Solutions Architecture at Cerberus Sentinelsaid the government agency’s effortless compromise was a reminder that attackers were exploiting simple, preventable mistakes.
“In this case, there were many failures on the part of the organization that amounted to rolling out the red carpet for the forwards,” Clements said. “Leaving open RDP access to the Internet is extremely risky. Automated bots routinely scan the entire Internet for open RDP servers to brute force with common accounts and passwords.
Clements predicted the situation would have been a “game over” for a sophisticated attacker, considering an administrative account with network privileges was compromised.
“The fact that the attacker was able to compromise an administrative system account probably means that a relatively simple password was used,” he added. “Modern wordlists that attackers use to attack passwords, many of which are publicly available, can be surprisingly good. They no longer just guess the “password”, but also commonly used substitutions like “pa55w0rd” and permutations like “pa55w0rd2022”.
Second stage attacker deployed LockBit ransomware but failed to encrypt all files
The attacking streak changed after month four in mid-January, when an experienced striker joined the fray. The sophisticated attacker started by installing the Mimikatz and LaZagne post-exploitation tools.
However, the attacker caught the attention of the security team by deleting the logs, rebooting the servers remotely, and disabling the security software.
“Disabling features such as tamper protection on endpoint security software seemed like the critical lever attackers needed to completely remove protection and complete their jobs unhindered,” Sophos said.
Sophos blamed network defenders for ignoring the warning and allowing the attacker to successfully execute Mimikatz.
Subsequently, the attackers dumped network account credentials and ran network scanning tools in preparation for lateral movement. The attackers also verified their RDP capabilities and created new user accounts to maintain persistence and avoid dislodgements.
Sophos claims the threat actor managed to access sensitive personnel and purchase files within minutes on the first day of the sixth month.
The cybersecurity firm joined the government agency’s network response team and helped shut down at least 60 servers and perform network segmentation.
However, the threat actor had started encrypting the network with LockBit ransomware. Fortunately, the team recovered files from some computers because LockBit ransomware only renamed them without encryption.
“The attackers then collected and exfiltrated data and deployed LockBit ransomware. The ransomware attack had limited success and attackers failed to encrypt data on some machines,” Sophos said.
According to CISA, LockBit ransomware compromises organizations through purchased access, insider threats, unpatched vulnerabilities, and zero-day exploits.
Sophos did not disclose the identity of the group that compromised the undisclosed government agency. Being ransomware-as-a-service, LockBit ransomware appears in numerous ransomware attacks by various affiliates. LockBit’s affiliate program is one of the most successful and its encryption technology is among the best.