Sophos, a global leader in next-generation cybersecurity has released findings on how attackers breached and spent five months inside a regional government server in the US to use it to browse online for a mix of hacker and IT administration tools that could help them carry out the attack.
The attackers also installed a cryptominer before exfiltrating data and deploying Lockbit ransomware. The findings suggest that multiple attackers infiltrated the vulnerable server. The attack was contained and investigated by Sophos’ incident response team.
The Sequence Of Attack
Sophos researchers found that the initial point of access for the attack was an open remote desktop protocol (RDP) port on a firewall that was configured to provide public access to a server. The attackers breached the server in September 2021.
They then used a browser on the breached server to search online for the tools to use for hacking and attempted to install them. In some cases, the search for tools led the attackers to shady download sites that delivered adware to the hacked server, instead of the tools they were looking for.
The research shows that attackers’ behaviors changed significantly in mid-January, with signs of more skilled and focused activity.
These attackers attempted to remove the malicious cryptominer and uninstall security software, taking advantage of the fact that the target had inadvertently left a protective feature disabled after completing maintenance.
The attackers then collected and exfiltrated data and deployed the cryptominer and Lockbit ransomware. The ransomware attack had limited success and the attackers failed to encrypt data on some machines.
Tools Used By The Attackers
The tools the attackers tried to install for malicious purposes included Advanced Port Scanner, FileZilla, LaZagne, mimikatz, NLBrute, Process Hacker, PuTTY, Remote Desktop Passview, RDP Brute Forcer, SniffPass, and WinSCP. The attackers also installed commercial remote access tools, including ScreenConnect and AnyDesk.
Andrew Brandt, the principal security researcher of Sophos mentioned in his statement:
“If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of such tools on machines on your network is a red flag for an ongoing or imminent attack,”
He also gave a bit of advice on how to prevent those attackers from getting access to a network.
“A robust, proactive, 24/7 defense-in-depth approach will help to prevent such an attack from taking hold and unfolding. The most important first step is to try to prevent attackers from gaining access to a network in the first place, for example by implementing multi-factor authentication and setting firewall rules to block remote access to RDP ports in the absence of a VPN connection.”
Andrew Brandt, the Principal Security Researcher Of Sophos
It is important to protect the network from getting invaded by these attackers. As a worldwide leader in next-generation cybersecurity, Sophos is responsible for delivering services to secure users, networks, and endpoints against ransomware, malware, exploits, phishing, and a wide range of other cyberattacks. For further information about the findings, kindly read the article, “Attackers Linger on Government Agency Computers Before Deploying Lockbit Ransomware” on Sophos News.
More news about Sophos:
