The attackers compromised the network of a regional US government agency, where they hid for at least five months before the LockBit ransomware was finally deployed.
After further investigation of behavioral log data, Sophos researchers observed that there could be two or more threat groups active on the anonymous agency’s compromised network before a final group deployed the payload. useful. While at first the attack appeared to be carried out by seemingly novice attackers who “then seemed unsure of what to do next”, later a likely different set of attackers deployed the ransomware, stealing data and encrypting files, according to Andrew Brandt, senior security researcher at Sophos.
“It was a very messy attack,” Brandt said. “About four months after the initial breach, the nature of attacking activity changed, in some cases so drastically as to suggest that attackers of very different skill sets had joined the fray.”
The initial access point of the attack, which happened in September, appeared to be an open Remote Desktop Protocol (RDP) port on a firewall, configured to provide public access to a server, said Sophos researchers in Tuesday’s analysis.
After gaining initial access, the attackers installed the Chrome browser to scan for and download hacking tools to the compromised server. In some cases, attackers, while looking for tools, visited sketchy download sites that provided adware, rather than the tools they were looking for, an unintended noise move that could have opened up the attack to detection. , the researchers said. The attackers installed various commercial remote access tools on accessible servers and workstations, as well as RDP scanning, exploitation, and brute force password tools.
“In addition to various custom scripts and configuration files used by the hacking tools installed by the attackers, we found a wide variety of other malware, from password crackers to cryptominers, to hacked versions of commercial VPN client software,” the researchers said.
“About four months after the initial breach, the nature of attacking activity changed, in some cases so drastically as to suggest that attackers of very different skill sets had joined the fray.”
“There was also evidence that the attackers were using free tools like PsExec, FileZilla, Process Explorer or GMER to run commands, move data from one machine to another, and kill or subvert processes that hindered their efforts” , they said.
Despite downloading these tools, the researchers noted that the attackers did not appear to be “aiming at any particular objective or operating with great urgency.” Then, in mid-January, attackers’ tactics changed dramatically, as they attempted to uninstall security software, collected and exfiltrated data, and deployed LockBit ransomware, which researchers say had “success limit”.
“Fortunately for the target, on at least a few machines, the attackers did not complete their mission, as we found files that had been renamed with a ransomware-related file suffix, but had not been encrypted” , the researchers said. “In these cases, cleanup simply involved renaming the files to restore their previous file suffixes.”
Local governments and government agencies continue to be the target of cyberattacks, with the FBI recently warning that in 2021, local governments were the second highest group to fall victim to ransomware actors. In March, researchers revealed a campaign by the APT41 group that compromised at least six US government networks between May and February.
Sophos researchers said organizations can prevent initial access by implementing security measures, such as multi-factor authentication or setting firewall rules to block remote access to RDP ports. Another way to avoid an attack like this is to be on the lookout for various tools that may have been installed for malicious purposes.
“If an IT team member didn’t download them for a specific purpose, the presence of such tools on machines on your network is a red flag for an attack in progress or imminent,” Brandt said. “An unexpected or unusual network activity, such as a machine scanning the network, is another such indicator.”