Search

CSIRT story: I love the smell of ransomware in the morning

How the Orange Cyberdefense CSIRT team intervened to help a customer in Vietnam.

A ransomware attack in Vietnam 

A client reached out to Orange Cyberdefense as one of its subsidiaries in Vietnam was suffering a ransomware attack. In collaboration with Orange Business Services who provided an engineer on-site, it was possible for the CSIRT experts to get to work just a few hours after the incident had been discovered. 

It started with a bang 

The attacker got their first foothold on an RDP server. Once inside, he dropped his toolkit: network scanner, browser password extractor, process memory exploration, and disables antivirus on the server. 

King of the hill 

Ten minutes after the intrusion, the attacker performed a network reconnaissance and obtained domain administrator credentials. Finally, he connected to the domain controller, executing a server credential extractor to obtain clear text credentials for all users. 

The view from above

Once connected to the domain server, the attacker mounted various shares he had discovered on the domain controller. He clearly had his mind on backups and spent an hour and a half in there.  

Hiding the trail 

Once he was able to spread throughout a considerable part of the network and ensured the primary target was under control, he cleverly deleted all windows logs on all compromised machines, in an attempt to make forensics of the attack vector difficult. However, fortunately, logs are not the only source of forensic information. 

Running ransomware 

Four hours after its first log on the RDP server, the attacker deployed a variant of Phobos on all machines. 

Restoring clean backups 

After figuring out the attack history, the ransomware used and its operation mode, it was possible to restore cleaned backups of the infected systems and bring them back online. For criminal prosecution and preventing further attacks a full and detailed report was provided to the client. 

What lurks in the shadows 

We started this story with the attacker appearing on an RDP server without telling you how. With logs deleted, we’ll never know for sure how the attacker got hold of the account. However, the mere fact that in the two hours after the deletion, more than eight thousand login attempts were logged from all over the world, brute-force attack seems like a pretty solid guess. 

Lessons learned 

Just like the metaphoric chain, an unsegmented network is only as strong as its weakest endpoint. Endpoint defense and endpoint detection is key in identifying attacks in an early stage and minimize the damage.

Network segmentation can help to effectively contain an attack by restricting it to a separated part of the network. Important devices like RDP servers should be additionally protected within their segment. 

Brute-force attacks are relatively easy to detect and mitigate. Several thousand login attempts had probably failed before one was successful. Long before this, detection could have triggered an alarm and automatic countermeasures had any protection measures or a SOC been in place, either on-premises or as a remote service.  

Lastly, hiding attack procedures and activity by deleting logs is ineffective if the logs are collected in a SIEM for analysis. Security logs are not only effectively backed up, but also enable detailed forensics to identify attack vectors and preventively remove the used vulnerabilities to avoid future attacks.  

This story is part of the 2021 edition of the Security Navigator. Click here to view the latest edition of the Security Navigator: 

Download Security Navigator

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.