Knowing how to read a log and recognizing a behavioral anomaly, especially on non-working days and times, will inevitably reduce the risk of impairment.
Recently, Cyberoo’s Incident Response team was engaged after a total Ransomware attack (exfiltration, encrypted servers, and destroyed backups) on a medium-sized Italian company.
The attack was devastating. 30 years of data destroyed in a few moments with related consequences still ongoing: staff laid off, turnover collapsed and loss of competitive advantage.
Reconstructing the facts
Reconstructing the chain of events was difficult: the only logs available were from the firewall and NAS. In analyzing the firewall, the IR team found a version of the software that was vulnerable, which was known and documented by a recent CVE. This vulnerability is typically used to exfiltrate credentials of users attested in the firewall.
Not only that, the configuration also revealed the use of the Domain Administrator user to query the LDAP server and validate VPN authentication. With very little effort, the attacker obtained local login credentials, then established a VPN connection from an East Asian IP, and domain admin credentials.
Instead, NAS logs revealed logins from an IP address linked to the VPN pool and content deletion. Correlating this information helped in identifying the date and time of the suspicious VPN connection. The absence of the MFA then contributed to everything else.
Looking at the FW configuration, the Incident Response team noticed that this behavioral anomaly (VPN from suspicious IP) had been reported via e-mail to IT staff but went unnoticed like most reports sent during non-business hours.
Lack of signal management and domain controllers with no EDR due to operating system obsolescence were causes and concomitant causes of what happened.
Conclusions
What emerged highlighted two key aspects in the area of prevention.
The first can be traced back to the absence of adequate management of reports. There is no point in having so many notifications if they will not be analyzed by experienced eyes, in real time, and used ad hoc for appropriate countermeasures. Considering that IT infrastructure, in contrast to personnel, is operational 24/7, it is unthinkable that “day-to-day” management alone can be enough to ensure corporate cybersecurity. There is a need for skilled and constant supervision, an efficient rescue chain, and technologies that can automate the intervention process (automatic remediation).
Second, the obsolescence of computer systems, coupled with the lack of multi-factor authentication, are and always will be the desire of every attacker.
