A Nefilim ransomware attack that locked up more than 100 systems stemmed from the compromise of an unmonitored account belonging to an employee who had died three months previously, researchers said.
Nefilim (a.k.a. Nemty) is a ransomware strain that emerged in 2020, with its operators adopting the tactic that researchers call double extortion. In other words, Nefilim threatens to release victims’ data to the public if they fail to pay the ransom; it has its own leaks site called Corporate Leaks, which resides on a TOR node. Most famously, it attacked Australian transportation giant Toll Group early last year.
According to Sophos researcher Michael Heller, this latest victim was compromised by exploiting vulnerable versions of Citrix software, after which the gang gained access to an admin account. From there, it stole the credentials for a domain admin account using Mimikatz.
Nefilim Lurks for a Month, Stealing Data
A Sophos forensic analysis found that the organization’s installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to a known critical security bug (CVE-2019-11634) and four high-severity issues (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283). Storefront is an enterprise app store that employees can use to download approved applications.
It’s almost certain, the team found, that this was the initial point of entry into the victim’s network.
After exploiting the Citrix installation and establishing an initial foothold, the attackers also used Remote Desktop Protocol (RDP) logins to maintain remote access to the initial admin account used in the attack.
To move laterally, the threat actor used Mimikatz, which allows attackers to enumerate and view the credentials stored on the system. Armed with that knowledge, they were then able to compromise a domain administrator account.
Domain admin in Windows is a user account that can edit information in Active Directory. It can modify the configuration of Active Directory servers and can modify any content stored in Active Directory. This includes creating new users, deleting users, and changing their permissions. As such, it gives its controller a lot of power and visibility into the network.
“The Rapid Response investigation then uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance and enumerate the network,” Heller explained in a Tuesday analysis. “The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data; [and] the Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.”
In all, the Nefilim operators were inside the victim’s network for about one month before launching the ransomware itself, Heller said, often carrying out activities in the middle of the night to avoid detection.
“The attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack,” he noted in a Tuesday posting.
Ghost Account: A Failing of Best Security Practices
The issue is that the administrative account that handed the cybercriminals the keys to the company’s data kingdom belonged to someone who is no longer with the company – indeed who no longer walks the earth. These types of “ghost” accounts present above-average risk to enterprises, researchers said, because of the lack of oversight in terms of how and when such accounts are used, given that there’s no daily user to keep tabs on activity.
Sophos Rapid Response manager Peter Mackenzie told the customer that another type of attacker, a more stealthy one, could have lurked for months, stealing all sensitive information in the company’s systems.
“If they hadn’t [deployed ransomware], how long would they have had domain admin access to the network without the customer knowing?”
Thus, alerts for when domain admin accounts are created or used could potentially have prevented the attack. In a previous case, Sophos researchers saw an attacker gaining access to an organization’s network, creating a new user, and adding that account to the domain admin group in Active Directory – but, no alerts were set off.
“That new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups,” Mackenzie said.
Best practices would dictate taking such accounts out of commission completely, but the organization said it was kept active “because there were services that it was used for.”
“If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity,” Heller noted. “Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.”
Mackenzie said that in general, far fewer accounts need to be designated as domain admins than most people think.
“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. This isn’t true and it’s dangerous,” he said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”
Best practices to avoid attacks like this include only granting access permissions that are needed for a specific task or role; disabling accounts that are no longer needed; implementing a service account and denying interactive logins for any “ghost” accounts; and carrying out regular audits of Active Directory to monitor for admin account activity or if an unexpected account is added to the domain admin group.
“Ransomware will continue to plague organizations for the foreseeable future, so it’s important that the root causes are looked at. In this case, the criminals were successful in their attack by being able to take over an orphan or ghost account which had administrative privileges,” Javvad Malik, security awareness advocate at KnowBe4, said via email. “Account management, and in particular, privileged account management is an important security control for which all organizations should have processes in place.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!