LockBit ransomware gang lurked in a U.S. gov network for months
- April 12, 2022
- 10:15 AM
"A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found.
Logs retrieved from the compromised machines showed that two threat groups had compromised them and were engaged in reconnaissance and remote access operations.
The attackers tried to remove their tracks by deleting Event Logs but the pieces of the files remained allowed threat analysts to get a glimpse of the actor and their tactics.
Initial compromise
. . .According to researchers at cybersecurity company Sophos, the actor accessed the network through open remote desktop (RDP) ports on a misconfigured firewall and then used Chrome to download the tools needed in the attack.
The toolset included utilities for brute-forcing, scanning, a commercial VPN, and free tools that allow file management and command execution, such as PsExec, FileZilla, Process Explorer, and GMER.
Additionally, the hackers used remote desktop and remote management software like ScreenConnect, and later in the attack, AnyDesk.
> From there, the attackers spent time laying low and just tried to steal valuable account credentials to expand their compromise of the network.
> At some point, they snatched the credentials of a local server admin who also had Domain Administrator permissions, so they could create on other systems new accounts with administrator privileges.
Upping the game
In the second phase of the attack, initiated five months after the initial compromise, a more sophisticated actor appears to have taken over, leading Sophos to assume that a higher-level actor was now in charge of the operation.
"The nature of the activity recovered from logs and browser history files on the compromised server gave us the impression that the threat actors who first broke in to the network weren’t experts, but novices, and that they may later have transferred control of their remote access to one or more different, more sophisticated groups who, eventually, delivered the ransomware payload" - Sophos . . .
The attackers made their presence more evident by wiping logs and performing system reboots via remote commands, alerting the system admins who took 60 servers offline and segmented the network.
> A second error during this incident response disabled endpoint security. From this point, the two parties engaged in an open confrontation of measures and countermoves.
"A steady stream of table-setting activities took place as the attackers dumped account credentials, ran network enumeration tools, checked their RDP abilities, and created new user accounts, presumably to give themselves options in case they were interrupted" - Sophos
"On the first day of the sixth month of the attack, the attacker made their big move, running Advanced IP Scanner and almost immediately beginning lateral movement to multiple sensitive servers. Within minutes, the attacker has access to a slew of sensitive personnel and purchasing files," informs the report from Sophos.
Sophos joined the response effort and shut down the servers that provided remote access to the adversaries, but part of the network had already been encrypted with LockBit.
On a few machines, although the files had been renamed with LockBit's suffix, no encryption had taken place, so restoring them was a matter of reversing the renaming action. . ."
Take the time read more and get more important information >> https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-lurked-in-a-us-gov-network-for-months/
Related Articles:
The Week in Ransomware - March 25th 2022 - Critical infrastructure
Ten notorious ransomware strains put to the encryption speed test
Dozens of ransomware variants used in 722 attacks over 3 months
Bridgestone Americas confirms ransomware attack, LockBit leaks data
REvil ransomware member extradited to U.S. to stand trial for Kaseya attack
