Attackers compromised the network of a regional U.S. government agency, where they lurked for at least five months before the LockBit ransomware was ultimately deployed.
Upon closer investigation of the behavioral log data, researchers with Sophos observed that there may have been at least two threat groups active on the compromised network of the unnamed agency before a final group deployed the payload. While at first, the attack appeared to be carried out by seemingly-novice attackers that “then seemed unsure of what to do next,” later a likely different set of attackers deployed the ransomware, stealing data and encrypting files, according to Andrew Brandt, principal security researcher with Sophos.
“This was a very messy attack,” said Brandt. “About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray.”
The initial point of access for the attack, which occurred in September, appeared to be an open remote desktop protocol (RDP) port on a firewall, which was configured to provide public access to a server, said Sophos researchers in the Tuesday analysis.
After gaining initial access, attackers installed the Chrome browser to search for and download hacking tools on the compromised server. In some cases, the attackers while searching for tools visited sketchy download sites that delivered adware, rather than the tools they were looking for, an unintentionally noise move that could have opened up the attack to detection, said researchers. Attackers installed various commercial remote-access tools on accessible servers and desktops, as well as RDP scanning, exploit and brute-force password tools.
“In addition to various custom scripts and configuration files used by hacking tools the attackers installed, we found a wide variety of other malicious software, from password brute-forcers, to cryptominers, to pirated versions of commercial VPN client software,” said researchers.
“About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray."
“There was also evidence the attackers used freeware tools like PsExec, FileZilla, Process Explorer or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts," they said.
Despite the download of these tools, researchers noted that the attackers did not appear to be “moving toward a particular goal or operating with great urgency.” Then, in mid-January the attackers’ tactics changed significantly, when they attempted to uninstall security software, collected and exfiltrated data and deployed the LockBit ransomware, which researchers said had “limited success.”
“Fortunately for the target, on at least a few machines, the attackers didn’t complete their mission, as we found files that had been renamed with a ransomware-related file suffix, but that had not been encrypted,” said researchers. ”Cleanup in those cases just involved renaming the files to restore their previous file suffixes.”
Local governments and government agencies continue to be targeted in cyberattacks, with the FBI recently warning that in 2021, local governments represented the second highest group to be victimized by ransomware actors. In March, researchers disclosed a campaign by the APT41 group that had compromised at least six U.S. state government networks between May and February.
Researchers with Sophos said that organizations can prevent initial access by implementing security measures, like multi-factor authentication or setting firewall rules to block remote access to RDP ports. Another way to avoid an attack like this is to stay on the lookout for various tools that may have been installed for malicious purposes.
“If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of such tools on machines on your network is a red flag for an ongoing or imminent attack,” said Brandt. “Unexpected or unusual network activity, such as a machine scanning the network, is another such indicator.”