True Story – You’ve Been Hacked
by ITS Engineer Celso Scarpim
We were contacted by a distressed new business customer needing help due to a cyber-attack. The attacker managed to gain access to an old, unused (but still active) account to control a specific machine and install a virus.
The attacker used an anonymizer server (Tor) which is commonly associated with Deep Web or hackers. From the forensic analysis, the last known Tor server used was one in Netherlands but the most common practice is to tunnel in over several servers, rendering the connection untraceable.
After the attacker logged on the target machine, they immediately uninstalled the antivirus. By doing this they were free to use any other programmes, browse thru the server folders and collect any info without being tracked. While troubleshooting the issue, I found the event logs indicated the attacker remained connected to that machine for about 40 minutes. Before disconnecting, the attacker installed and activated a ransomware-type threat (WannaCry), which affected the machine itself and shared folders on the server and other machines where that user account had permissions to access/use.
The reasons for this direct attack are unknown. However, it did not seem to be a profit-driven attack, as the attacker apparently knew the hostname, user account and password to use. The logs don’t show any evidence of brute-forcing the password.
HOW – GOOD SECURITY
The security flaws identified and remediated in this case are quite common on many small business networks that have a more “relaxed” security policy:
Security updates not installed in timely manner on ALL machines: many vulnerabilities are quite recent and updates should be applied regularly. For example, Wannacry vulnerability was patched by Microsoft 3 months before this attack
Local machine users set as administrators: This is common practice but it shouldn’t be. Administrative privileges are used to install programmes and should not be allowed for regular users.
Network shares (folders) with loose permissions: Some shares have full permissions to everyone on the network. These permissions should be assessed and given only for specific groups.
Weak passwords: Attackers usually have a “dictionary” of passwords that can be used to obtain access to a system. Any sensitive device on the network should have a strong password.
Idle/Old/unused accounts: Domain accounts that are not active should be deactivated to avoid exploitation. This should be verified on a regular basis, if the user rotation is significant (i.e. too many temp employees).
Needless to say that antivirus and firewalls should be of common practice. Also, Antispam and possibly web monitoring should be considered on more sensitive networks.
Staying secure isn’t just about having good security solutions in place. The reality is that these will only provide a certain level of protection and cybercrime is on the increase.
The need for solid backup solutions, process and recovery plans have never been more important than now.
The term ‘in the unlikely event’ is fast becoming a ‘likely event’ when describing the very real threat of cybercrime. Ensuring you have stable, sturdy and substantial backup and recovery plans in place is critical for ensuring business continuity in the likely event of a security breach or system failure leading to loss of data.
The accuracy of backup, process and recovery planning has a direct relationship to the financial health of your business.
Even if you have checks and measures in place, annual security audits are a must for businesses big and small.
Contact us to schedule a security audit or to discuss how we can help you and your business.