Kaspersky Incident Response Team detected, studied and later prevented an attack on its client organization, which took place from 2017 to 2019 and led to a large leak of confidential data. A local administrator account has been compromised due to negligence in changing the password regularly.
This allowed attackers to break into the system, breach a number of workstations, create a backdoor, and collect data unnoticed.
Every organization, from small to large businesses, is susceptible to cyber-attacks, regardless of their technical prowess. companyor the qualifications of the information security team, simply because of the human factor. This latest incident handled by Kaspersky experts proves once again that even the slightest hint of irresponsibility by an employee can lead to an attack that can cause significant damage to an organization.
The client, a large company, approached Kaspersky's investigators after detecting suspicious processes in the corporate network. Subsequent investigation revealed that the system had been compromised through the account of the local administrator (adm_Giannis), which was used to load a malicious dynamic library and later to steal data from the system. While it remained unclear how the administrator account was initially compromised, user inaction allowed the attack to persist for such an extended period of time. The administrator kept the password unchanged for the duration of the attack, instead of renewing it every three months - as recommended by the company's security policy. This gave the attackers consistent access to the target systems and resulted in the leak of thousands of confidential files.
To learn more about the attack and reduce the damage already caused by the criminals, the target organization and Kaspersky security team decided to monitor the cybercriminals' activities instead of stopping them immediately. The analysis helped determine that the systems of various organizations were at risk from 2017 to 2019.
Attackers logged in using the administrator account and uploaded malicious files directly to the network. The files include a dynamic library, as well as downloaders and a backdoor. These malicious items were hidden in the system by modifying the desktop shortcuts, the start menu, and the taskbar. After the modification, when clicked on the shortcut, a malicious file started before the original executable file of the application, which allowed the cyber attackers to hide the suspicious activity from the organization's security system.
The way in which the backdoor was used – to allow full access to the "infected" system – presented the greatest interest to the client and the researchers. Further analysis showed that it launched various commands and searched for files using words-wrenches and extensions. It also kept track of the metadata from the files that had been "downloaded" at a previous stage. It's worth noting that the backdoor was created specifically for this attack, with no other instances of its use being identified for over a year. Additional monitoring also allowed the organization to learn how systems were breached and how shortcuts were modified to malicious files and build a large number of indicators for this particular attack.
"This case demonstrated that collaboration within the industry remains more important than ever, helping to gain valuable insights, prevent similar attacks and in continuing to fight cybercrime more effectively. As criminals become more creative in their tactics and techniques, we need to expand the work we do together in order to be able to detect threats at early stages and protect users and organizations," commented Pavel Kargapoltsev, security expert at Kaspersky.
More information can be found on the dedicated website Securelist.com.
To protect the organization from targeted attacks like this, Kaspersky recommends:
Use MITRE ATT & CK matrix and STIX format to detect attacks in the early stages.
Apply EDR (Endpoint Detection and Response) solutions for end-level detection, investigation and timely remediation of incidents.
In addition to adopting effective terminal protection, implement a corporate-level security solution that detects advanced network-level threats at an early stage.
Apply for specialists outside the company if your internal security team is limited in resources to pre-emptively chase opponents and destroy threats before damage occurs.
Enter education awareness for all employees.
Note: all names and identities have been changed to protect the privacy of individuals and organizations.
