Kaspersky Incident Response Team detected, studied and later prevented an attack on its client organization, which took place from 2017 to 2019 and led to a large leak of confidential data. A local administrator account has been compromised due to negligence in changing the password regularly.
This allowed attackers to break into the system, breach a number of workstations, create a backdoor, and collect data unnoticed.
Every organization, from small to large enterprises, is prone to cyber attacks, regardless of the technical skill of the company or the qualifications of the information security team, simply because of the human factor. This latest incident handled by Kaspersky experts proves once again that even the slightest sign of irresponsibility on the part of an employee can lead to an attack that can cause significant damage to an organization.
The client, a large company, approached Kaspersky's investigators after detecting suspicious processes in the corporate network. Subsequent investigation revealed that the system had been compromised through the account of the local administrator (adm_Giannis), which was used to load a malicious dynamic library and later to steal data from the system. While it remained unclear how the administrator account was initially compromised, user inaction allowed the attack to persist for such an extended period of time. The administrator kept the password unchanged for the duration of the attack, instead of renewing it every three months - as recommended by the company's security policy. This gave the attackers consistent access to the target systems and resulted in the leak of thousands of confidential files.
To learn more about the attack and reduce the damage already caused by the criminals, the target organization and Kaspersky security team decided to monitor the cybercriminals' activities instead of stopping them immediately. The analysis helped determine that the systems of various organizations were at risk from 2017 to 2019.
Οι επιτιθέμενοι εισήλθαν στο σύστημα χρησιμοποιώντας τον λογαριασμό του διαχειριστή και ανέβασαν κακόβουλα αρχεία απευθείας στο δίκτυο. Τα αρχεία περιλαμβάνουν μια δυναμική βιβλιοθήκη, καθώς και downloaders κι ένα backdoor. Αυτά τα κακόβουλα αντικείμενα ήταν κρυμμένα στο σύστημα μέσω μιας τροποποίησης των συντομεύσεων στην επιφάνεια εργασίας, στο μενού έναρξης και στη γραμμή εργασιών. Μετά την τροποποίηση, όταν κλίκαραν στη συντόμευση, ένα malicious file started before the original application executable, which allowed cyber attackers to hide suspicious activity from the organization's security system.
Ο τρόπος με τον οποίο χρησιμοποιήθηκε το backdoor – για να καταστεί δυνατή η πλήρης πρόσβαση στο «μολυσμένο» σύστημα – παρουσίασε το μεγαλύτερο ενδιαφέρον για τον πελάτη και τους ερευνητές. Περαιτέρω ανάλυση έδειξε ότι ξεκίνησε διάφορες εντολές και αναζήτησε αρχεία χρησιμοποιώντας λέξεις-κλειδιά και επεκτάσεις. Επίσης, διατήρησε την παρακολούθηση των metadata από τα αρχεία που είχαν «κατεβάσει» σε προηγούμενο στάδιο. Αξίζει να σημειωθεί ότι το backdoor δημιουργήθηκε ειδικά για αυτή την επίθεση, χωρίς να έχουν εντοπιστεί άλλες περιπτώσεις που να το έχουν χρησιμοποιήσει για πάνω από έναν χρόνο. Επιπλέον παρακολούθηση επέτρεψε επίσης στον οργανισμό να μάθει πώς παραβιάστηκαν τα συστήματα και πώς οι shortcuts were modified into malicious files and create a large number of markers for this particular attack.
"This case showed that the cooperation εντός της βιομηχανίας παραμένει πιο σημαντική από ποτέ, καθώς βοηθά στην απόκτηση πολύτιμων γνώσεων, στην αποτροπή παρόμοιων attacks and in continuing to fight cybercrime more effectively. As criminals become more creative in their tactics and techniques, we need to expand the work we do together in order to be able to detect threats at early stages and protect users and organizations," commented Pavel Kargapoltsev, security expert at Kaspersky.
More information can be found on the dedicated website Securelist.com.
To protect the organization from targeted attacks like this, Kaspersky recommends:
Use MITRE ATT & CK matrix and STIX format to detect attacks in the early stages.
Apply EDR (Endpoint Detection and Response) solutions for end-level detection, investigation and timely remediation of incidents.
In addition to adopting effective terminal protection, implement a corporate-level security solution that detects advanced network-level threats at an early stage.
Apply for specialists outside the company if your internal security team is limited in resources to pre-emptively chase opponents and destroy threats before damage occurs.
Introduce awareness training for all employees.
Note: all the names and the data identifiers have been changed to protect the privacy of individuals and the organization.
