Leaving your pants down
In the middle of the night, out of the blue, a number of computers within a power company’s network started alerting that they could not communicate with each other.
As the power company started investigating it became very apparent that their servers where being held for ransom. On each of the servers screen a ransom note for 28 Bit Coins was presented that provided the steps required to unencrypting all of their machines once payment was received.
At this point the power company contacted the Check Point Incident Response Team to assist with the case. The team engaged and identified a very troubling chain of events.
The team worked with the customer to review logs, memory images, and drive forensics to determine that the attacker directly infiltrated the customer’s network by utilizing an exposed Remote Terminal Server connection that was directly exposed to the internet. As the investigation unfolded the team determined that the remote terminal server was deployed to allow vendor’s access into the power company’s network. The team was able to identify the telltale signs of a breach, including the use of tools to reverse engineer user accounts and tools to allow direct lateral movement within the network.
As the team dug further it was determined that the original attack was not an exploited vulnerability or attack on the server itself but the attacker just guessed a very simple username password combination utilizing a brute force method to guess the account.
As the investigation showed how the attacker was able to login and plant the ransomware directly on the companies servers, the company considered the best course of action to restore their business. It was quickly determined that the cost of the information that was lost due to attack was worth at least 5 times what the ransom was.
Sadly the customer paid the ransom
Lessons Learned?
Do not expose direct system access to the internet without a number of other controls such as two-factor authentication, VPN’s, limiting direct internet access, etc.