A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.
Some types of cyberattacks are one-and-done deals where the cybercriminals get in and out quickly after infecting or compromising an organization. Other types of attacks, however, expand over a period of time as they try to impact additional resources within the organization. Using a honeypot, researchers at security firm Cybereason were able to attract multiple criminals using ransomware and follow each stage of an attack.
A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider’s network. As such, this honeypot contained an IT environment, an OT (operational technology) environment, and HMI (human-machine interface) management systems.
After the honeypot officially opened for business, it took only three days for cyber attackers to infiltrate the network and fill it with malware, Israel Barak, the chief information security officer at Cybereason, told ZDNet. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.
In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator’s account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.
In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.
In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.
The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they’ll move laterally throughout the network to hit one machine after another before finally launching the ransomware.
“This finding is consistent with what we have been seeing about ransomware in particular,” Javvad Malik, security awareness advocate for KnowBe4, told TechRepublic. “It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials.”
Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.
“In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated,” Malik said. “Sometimes they will use the stolen information to attack partners or try to extort customers.”
To better protect your organization against a ransomware attack, Cybereason serves up the following recommendations:
- Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response. Minimizing damage and preventing an ICS (industrial control system) network from being taken offline is essentially the cat-and-mouse game being played by attackers and defenders. To keep hacking groups at bay, organizations need to minimize the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock.
- Establish a unified security operation center and workflows across both IT and OT environments. Operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments. Some companies may already have a network operations center (NOC) monitoring the OT environment, but a combined SOC lets operators see all operations as they move through the network.
- Design and operate with resiliency in mind. Resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
- Partner with experts. Be sure to partner with experts with vast knowledge of ICS threats. The public and private sectors need to work together closely to protect this industry. Partner with a security company that can stay ahead of new threats and helps operators address issues in real-time.
- Test, test, test. Regular testing must be a focal point in this sector. Tabletop exercises that enable a red and blue team to role-play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real-time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.
Based on the latest ransomware threats, Malik has another piece of advice for organizations:
“Even having reliable and up-to-date backups won’t help,” Malik said, “which is why preventing criminals from gaining a foothold is of utmost importance. The top three controls organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA (multifactor authentication) to prevent credential compromise, and patching external-facing systems.”