A Real Ransomware Attack and the Opportunities that were Missed!

Last week an article appeared online which detailed the timeline of a novel ransomware attack. In short, the attackers made use of an unsecure IP Camera in order to gain a foothold on the victims network and deliver their ransomware.

“How could the services and technologies that we offer at ANSecurity have been utilised to stop this attack from being successful?”

Attack surface monitoring (We offer solutions from Palo Alto Networks, Censys and Tenable) could well have reduced the risk here through discovering exposed credentials or an accidental misconfiguration of the remote access solution. Our Managed Vulnerability Management Service offers unauthenticated vulnerability scans for our customers public IP space, which could have flagged an accidentally exposed interface here.

Additionally, placing the remote access solution behind a properly configured WAF or NGFW would detect, prevent and alert, if an attempt at a password spray or brute force attack was seen.

If a single-sign-on or IDP solution was in place, how was it configured and what alerting was generated here? A tight configuration, with enforced phishing resistant sign-in, geo-blocks and risky-user analysis would likely have prevented this initial access from succeeding.

1. Enable them to reconnect to the victim without requiring access to any previously used credentials.
2. Allow a route out for stolen data to be later used as part of double-extortion ransomware.

Effective application restrictions (AppLocker/Intune) as well as detailed logging and alerting would have prevented new software from being installed, and crucially, reported that it had been attempted. Stopping the attack at this stage would have allowed for root cause analysis and the cyber-kill-chain to be broken. Furthermore, application aware traffic inspection would have been able to prevent (or alert) that traffic was being sent through an unsanctioned remote access tool.

Defence Evasion and Lateral Movement

The threat actors first attempt at getting malware into the environment failed because of the EDR that was running on the machine. Once the malware was quarantined the attack was essentially paused. Although this automatic quarantine was effective and prevented the attackers from making progress, it fell short of reaching the “alert” stage of defence as it seemingly did not instigate any human investigation.

It’s at this stage where endpoint logging to a SIEM (LogRhythm, Rapid7, Cynet or even Lima Charlie for example) could have correlated the actions observed to generate a high-confidence alert that an attack was taking place.

Had the victim been able to muster a timely incident response at this stage, either themselves or through a managed SOC (we offer Redscan, SentinelOne, Rapid7) or MDR service, the threat actor would have been expelled. No such investigation took place, and the threat actor had time to look for another way to continue their attack.

The attackers made use of Microsoft RDP to connect to many systems and further their understanding of the victims’ network. The lack of properly configured East-West firewall meant that their actions went undetected.

In the absence of a fully segregated and zero-trust network, the attacker was able to enumerate other devices on the network and identify an unpatched and vulnerable IP Camera within the same network. Once the vulnerability had been exploited, the attackers now had complete control of a “mini-computer” on the network with no endpoint protection software running from which to launch their attack. A proper IoT asset discovery process as well as a vulnerability management programme would have led to this device being patched (and thus not exploitable) or removed from the network entirely if it wasn’t fixable.

Furthermore, as the victim wasn’t following zero-trust or “least privilege” access methodology the attackers newly acquired camera had unrestricted access to a file server through Windows SMB and was able to then encrypt the organisations data and finally deliver a ransom demand.