Kaspersky Incident Response Team detected, studied and later prevented an attack on its client organization, which took place from 2017 to 2019 and led to a large leak of confidential data. A local administrator account has been compromised due to negligence in changing the password regularly.
This allowed attackers to break into the system, breach a number of workstations, create a backdoor, and collect data unnoticed.
Every organization, from small to large enterprises, is prone to cyber attacks, regardless of the technical skill of the company or the qualifications of the information security team, simply because of the human factor. This latest incident handled by Kaspersky experts proves once again that even the slightest sign of irresponsibility on the part of an employee can lead to an attack that can cause significant damage to an organization.
The client, a large company, approached Kaspersky's investigators after detecting suspicious processes in the corporate network. Subsequent investigation revealed that the system had been compromised through the account of the local administrator (adm_Giannis), which was used to load a malicious dynamic library and later to steal data from the system. While it remained unclear how the administrator account was initially compromised, user inaction allowed the attack to persist for such an extended period of time. The administrator kept the password unchanged for the duration of the attack, instead of renewing it every three months - as recommended by the company's security policy. This gave the attackers consistent access to the target systems and resulted in the leak of thousands of confidential files.
To learn more about the attack and reduce the damage already caused by the criminals, the target organization and Kaspersky security team decided to monitor the cybercriminals' activities instead of stopping them immediately. The analysis helped determine that the systems of various organizations were at risk from 2017 to 2019.
Attackers logged in using the administrator account and uploaded malicious files directly to the network. The files include a dynamic library, as well as downloaders and a backdoor. These malicious items were hidden in the system by modifying the desktop shortcuts, the start menu, and the taskbar. After the modification, when clicked on the shortcut, a malicious file started before the original executable file of the application, which allowed the cyber attackers to hide the suspicious activity from the organization's security system.
The way in which the backdoor was used - to allow full access to the "infected" system - was of the greatest interest to the client and the researchers. Further analysis showed that he started various commands and searched for files using keywords and extensions. It also kept track of metadata from previously downloaded files. It is worth noting that the backdoor was created specifically for this attack, without other cases having been used for more than a year. Additional monitoring also allowed the organization to learn how the systems were compromised and how the shortcuts were modified into malicious files and to generate a large number of markers for this particular attack.
"This case has shown that co-operation within the industry remains more important than ever, as it helps to gain valuable knowledge, prevent similar attacks and continue the fight against cybercrime more effectively. "As criminals become more creative in their tactics and techniques, we need to expand the work we do together to be able to detect threats at an early stage and protect users and organizations," said Pavel Kargapoltsev, a security expert. in Kaspersky.
More information can be found on the dedicated website Securelist.com.
To protect the organization from targeted attacks like this, Kaspersky recommends:
Use MITRE ATT & CK matrix and STIX format to detect attacks in the early stages.
Apply EDR (Endpoint Detection and Response) solutions for end-level detection, investigation and timely remediation of incidents.
In addition to adopting effective terminal protection, implement a corporate-level security solution that detects advanced network-level threats at an early stage.
Apply for specialists outside the company if your internal security team is limited in resources to pre-emptively chase opponents and destroy threats before damage occurs.
Introduce awareness training for all employees.
Note: all names and identities have been changed to protect the privacy of individuals and organizations.