Honeypots ! Attacked.. revealed the threat actor mechanism..

A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.

A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider’s network. As such, this honeypot contained an IT environment, an OT (operational technology)environment, and HMI (human machine interface) management systems.

After the honeypot officially opened for business, it took only three days to infiltrate and fill it with malware. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.

In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator’s account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.

honeypot-stage-1-cybereason.jpg

In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.Image: Cybereason

honeypot-stage-2-cybereason.jpg

In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.Image: Cybereason

honeypot-stage-3-cybereason.jpg

The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they’ll move laterally throughout the network to hit one machine after another before finally launching the ransomeware

Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.

“In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated,”

To better protect your organization against ransomware attack, step up the following recommendations:

  1. Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response.
  2. Establish unified security operation center and workflows across both IT and OT environments.
  3. Design and operate with resiliency in mind.
  4. Partner with experts.
  5. Test, test, test.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s