Criminals researched hacking TTPs post-breach in ‘messy’ cyber attack

Malicious actors breached the servers of a regional government body in the US and then spent five months using it to search for hacking and IT administration tools that could further their aims, according to the Sophos researchers who investigated and ultimately contained the “messy” attack.

The researchers have today shared details of the long-running cyber attack on the undisclosed client, which ultimately saw the attackers exfiltrate the victim’s data and deploy the Lockbit ransomware. They believe it is possible that multiple different attackers infiltrated the vulnerable server.

“This was a very messy attack. Working together with the target, Sophos researchers were able to build a picture that started with what appears to be novice attackers breaking into the server, poking around the network and using the compromised server to Google a combination of pirated and free versions of hacker and legitimate admin tools to use in their attack. They then seemed unsure of what to do next,” said Andrew Brandt, principal security researcher at Sophos.

The initial access point seems to have been through an open remote desktop protocol (RDP) port on a firewall that had been configured to provide public access to the server. This took place in September 2021.

As already noted, the attackers then used a browser on the breached server to search online for hacking tools, which they then tried to install. In some cases, their searches led them to “shady” downloads that also deployed malicious adware to the compromised server.

Some of the tools they tried to install included Advanced Port Scanner, FileZilla, LaZagne, mimikatz, NLBrute, Process Hacker, PuTTY, Remote Desktop Passview, RDP Brute Forcer, SniffPass, and WinSCP. They also tried to use commercial remote access tools, including ScreenConnect and AnyDesk.

“If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of such tools on machines on your network is a red flag for an ongoing or imminent attack,” said Brandt.

“Unexpected or unusual network activity, such as a machine scanning the network is another such indicator. Repeated RDP login failures on a machine only accessible inside the network is a sign someone might be using a brute-force tool to try to move laterally – as are active connections from commercial remote access tools the IT team has not installed or may have used in the past, but have not used for a while.”

In January 2022, the attackers changed up their tactics and started showing signs of more skilled and focused activity. A previously deployed malicious cryptominer was removed, as was the server’s security software – the target having accidentally left a protective feature disabled after a previous round of maintenance. They were then able to steal data and deploy Lockbit, although the ransomware was only partially successful.

Brandt suggested this change in tactics could be indicative of a separate group getting involved of its own accord, or access having been sold on in some way. “About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray,” he said.

“A robust, proactive, 24/7 defence-in-depth approach will help to prevent such an attack from taking hold and unfolding. The most important first step is to try to prevent attackers from gaining access to a network in the first place – for example, by implementing multi-factor authentication and setting firewall rules to block remote access to RDP ports in the absence of a VPN [virtual private network] connection.”

Saryu Nayyar, CEO and founder of Gurucul, said that with dwell times topping 250 days in some cases, threat actors were much better able to hide their activity from traditional security information and event management (SIEM) or extended detection and response (XDR) tools that are geared towards identifying patterns over shorter periods of time.

She said that manually being able to piece together seemingly disparate indicators of compromise (IoCs) over weeks or months was virtually impossible for a security team, and something with which most current solutions struggle.

“Organisations must look to add more advanced tools that link disparate events over time using analytics and adaptive and trained machine learning models, not just simple correlation, or rule-based fixed machine learning,” she said.

“In addition, included threat content (sadly most companies charge for out-of-the-box automated threat detection), network traffic analysis to identify unauthorised external communications, and real-time user and entity behaviour baselining and analytics can be used to reveal how anomalous behaviours are actual security threats associated with an attack campaign. This changes the game to enabling security teams to be proactive versus reactive,” said Nayyar.