Kaspersky's incident response team detected, investigated, and later prevented an attack on its client organization that took place from 2017 through 2019 and resulted in a major breach of confidential data. Ο λογαριασμός ενός τοπικού διαχειριστή παραβιάστηκε λόγω αμέλειάς του να αλλάζει τακτικά τον κωδικό πρόσβασης.
This allowed attackers to break into the system, breach a number of workstations, create a backdoor, and collect data unnoticed.
Every organization, from small to large businesses, είναι επιρρεπής σε κυβερνοεπιθέσεις, ανεξάρτητα από την τεχνική επιδεξιότητα της εταιρείας ή τα προσόντα της ομάδας ασφάλειας πληροφοριών, απλά λόγω του ανθρώπινου παράγοντα. Το τελευταίο αυτό περιστατικό που χειρίζονται οι ειδικοί της Kaspersky αποδεικνύει για άλλη μια φορά ότι ακόμη και το ελάχιστο δείγμα ανευθυνότητας από έναν εργαζόμενο μπορεί να οδηγήσει σε μια επίθεση που μπορεί να προκαλέσει σημαντική βλάβη σε έναν οργανισμό.
The client, a large company, approached Kaspersky's investigators after detecting suspicious processes in the corporate network. Subsequent investigation revealed that the system had been compromised through the account of the local administrator (adm_Giannis), which was used to load a malicious dynamic library and later to steal data from the system. While it remained unclear how the administrator account was initially compromised, user inaction allowed the attack to persist for such an extended period of time. The administrator kept the password unchanged for the duration of the attack, instead of renewing it every three months - as recommended by the company's security policy. This gave the attackers consistent access to the target systems and resulted in the leak of thousands of confidential files.
To learn more about the attack and reduce the damage already caused by the criminals, the target organization and Kaspersky security team decided to monitor the cybercriminals' activities instead of stopping them immediately. The analysis helped determine that the systems of various organizations were at risk from 2017 to 2019.
The attackers entered the system using the administrator account and uploaded malicious files directly to the network. The files include a dynamic library, as well as downloaders and a backdoor. These malicious objects were hidden in the system through a amendmentof shortcuts on the desktop, start menu and taskbar. After the modification, when they clicked on the shortcut, a malicious file was launched before the original application executable, which allowed cyber attackers to hide suspicious activity from the organization's security system.
The way in which the backdoor was used - to allow full access to the "infected" system - was of the greatest interest to the client and the researchers. Further analysis showed that he started various commands and searched for files using keywords and extensions. It also kept track of metadata from previously downloaded files. It is worth noting that the backdoor was created specifically for this attack, without other cases having been used for more than a year. Additional monitoring also allowed the organization to learn how the systems were compromised and how the shortcuts were modified into malicious files and to generate a large number of markers for this particular attack.
"This case demonstrated that collaboration within the industry remains more important than ever, helping to acquisition valuable insights, in preventing similar attacks and continuing to fight cybercrime more effectively. As criminals become more creative in their tactics and techniques, we need to expand the work we do together in order to be able to detect threats at early stages and protect users and organizations," commented Pavel Kargapoltsev, security expert at Kaspersky.
More information can be found on the dedicated website Securelist.com.
To protect the organization from targeted attacks like this, Kaspersky recommends:
Use MITRE ATT & CK matrix and STIX format to detect attacks in the early stages.
Apply EDR (Endpoint Detection and Response) solutions for end-level detection, investigation and timely remediation of incidents.
In addition to adopting effective terminal protection, implement a corporate-level security solution that detects advanced network-level threats at an early stage.
Apply for specialists outside the company if your internal security team is limited in resources to pre-emptively chase opponents and destroy threats before damage occurs.
Introduce awareness training for all employees.
Note: all names and identities have been changed to protect the privacy of individuals and organizations.
