Alleen beschikbaar in het Engels
How Small Vulnerabilities Become a Recipe for Disaster
Blog post 9 April 2021 by Max van der Linden, Security Analyst at Secura
As you might have heard, municipality Hof van Twente has recently fallen victim to a ransomware attack, which resulted in a near complete business standstill. A ransomware attack essentially breaks or locks important files and only restores them when a large sum of money is paid.
NFIR has
executed a forensic investigation of the case, the published report* was used
as a foundation for this blog. This blog is intended to provide a high level
overview of the path of events that lead to the attack and show that
vulnerabilities that might seem insignificant at first can have a huge impact
when chained together.
On the 9th of November 2020 initial access was obtained by the hackers by brute-forcing the remote desktop (RDP) access of a FTP server. This might seem complex, but essentially hackers found a computer which stores files/documents. This computer offered an option to log-in and control the system remotely so hackers started guessing the username and password by attempting to log in millions of times with different usernames and password, until they eventually found the account “testadmin” with the password “Welkom2020” and were able to sign in. The “test” in “testadmin” implying that this was an account created for testing purposes.
Command and Control
The “testadmin” account had the highest level of access within the organization, which allowed the hackers to freely move through the network and execute their malicious actions. The hackers had accessed a total of nine servers of which they used four to setup a connection to their own command and control server. The command and control server is essentially a hacker controlled system which sends commands to the four servers in the Hof van Twente network which now can be “commanded” to execute attacks from within.
Because the hackers now had a way to “Command and Control” four systems in the network they removed the RDP access from the FTP server. In other words, the hackers closed and locked the back-door they had used to initially get access, because leaving the door open could raise suspicion or allow others to gain the same access.
It's Showtime: Execution of Attack
Now that the hackers had access to the internal network and erased their initial path of entry it was time to execute the ransomware attack. At 10:00 pm, when the hackers expected there was nobody in the office to interfere, they started locking systems and deleting 89 virtual servers until only the systems which were needed to technically run the network were left alive. Take a moment to imagine what this would mean in your organization, in essence, everything stored in the server-room is gone.
The hackers did leave an indication that this was not just a technical failure. When people got into the office they noticed printed ransom-notes on some of the printers. Additionally the hackers left digital copies of these ransom-notes on the affected systems. Ransom-notes generally contain instructions on what a company should do to retrieve their data and systems, which in general comes down to: “Pay a lot of money and we will give you the keys to unlock everything again”.
At various times during period of compromise there could have been
opportunities to detect the attack. To give an idea of the timeline, the
hackers first successful login was on the 9th of November. It was on the 30th of November
that the actual attack was executed. This gave a window of
approximately 20 days where this attack could have been stopped. For
instance, at a certain point the hackers installed software on the FTP
server to send out spam. This spam was blocked by the firewall. The
installation of software and the blocking of this spam could have been
an early indicator that there was something wrong in the network.
If the hackers of Hof van Twente would have written a report they would have probably included the following findings:
- Medium Risk - Admin interfaces available from the internet
- Medium Risk - Lack of detection capabilities.
- Medium Risk - Weak password policy.
- Medium Risk - Excessive privileges for accounts.
- Medium Risk - No Multi-factor authentication on user accounts.
- Medium Risk - Lack of network segmentation.
- Low Risk - Test accounts in production environment.
- Low Risk - Back-up connected to the network.
- Low Risk - Accounts not associated with specific persons.
Notice how
these are mostly medium and low risk findings, giving a sense of “Some
improvement needed, but not that big of a deal”. However, by chaining them
together this resulted in a Critical situation with a near full business
standstill.
The Valuable Lessons Learned
Now you might be wondering, that is a nice horror story, but how do I stop this from happening to my organization? Well, when looking at this specific scenario there are few recommendations which could be made:
- Ensure administrative interfaces are not reachable from the internet unless it is absolutely necessary.
- Implement detection mechanisms which alert the organization when “strange things” happen on the network.
- Implement a strong password policy, with multi factor authentication.
- Ensure accounts only have the minimal amount of privileges they need for their intended purpose.
- Accounts used in an acceptance environment should not have access to production as both environments have a different level of security.
- Implement network segmentation to prevent jumping from low-profile to high-profile servers.
- Always use named user accounts to stop password sharing and increase traceability.
- Make sure there is at least one back-up which is not connected to the network.
Fixing any of these vulnerabilities would have broken the chain and greatly increased the difficulty of this attack.
It is strongly advisable to have a Security testing firm such as Secura test for these kinds of vulnerabilities to prevent attackers from being able to form such an attack chain.
Secura knows the common pitfalls and can provide advice on where to find them and how to mitigate them. Increasing the level of security in the organization in a language that the different technological skill levels (from development to management) can understand
“The best way to defend against hackers is by using hackers”.