![]() Reconstructing the attack from logsĪttackers will often delete log data to obfuscate their tracks, and this incident was no exception – the attackers manually deleted nearly all log data about a month prior to investigator discovery. The nature of the activity recovered from logs and browser history files on the compromised server gave us the impression that the threat actors who first broke in to the network weren’t experts, but novices, and that they may later have transferred control of their remote access to one or more different, more sophisticated groups who, eventually, delivered the ransomware payload. Over time, we found that the attackers’ tactics changed, in some cases so drastically it seemed as though an attacker with very different skills had joined the fray. The Lockbit attacker used multiple internal RDP connections and the Windows SSH client PuTTY, and installed ScreenConnect, in short order With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega. As a result, some systems were left vulnerable to sabotage by attackers, who disabled endpoint protection on the servers and some desktops. Evidence left behind show the attackers using tools like GMER, IObit Unlocker, and Process Hacker to try to disable endpoint protectionĬritically, technicians managing the target network left a protective feature disabled after they completed maintenance. There was also evidence the attackers used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts. In addition to various custom scripts and configuration files used by hacking tools the attackers installed, we found a wide variety of other malicious software, from password brute-forcers, to cryptominers, to pirated versions of commercial VPN client software. We also found download logs of various RDP scanning, exploit, and brute-force password tools, and records of successful uses of those tools, so Windows remote desktop was on the menu, too. They appeared to prefer the IT management tool ScreenConnect, but later switched to AnyDesk in an attempt to evade our countermeasures. Sophos was able to piece together the narrative of the attack from those unmolested logs, which provide an intimate look into the actions of a not particularly sophisticated, but still successful, attacker.įor instance, the logs recorded that the attackers installed various commercial remote-access tools on accessible servers and desktops. Reconstructed from logs, analysts found evidence the threat actors searched for (then downloaded) tools using a Chrome browser they installed on the compromised server Though the attackers deleted many Event Logs from machines they controlled, they didn’t remove them all. Throughout the period attackers were active on the target’s network, they installed, then used Chrome browser to search for (and download) hacking tools on the “patient zero” computer, a server, where they made their initial access. Professional versions are available for a fee.In an attack where unknown threat actor groups spent at least five months poking around inside the network of a regional US government agency, behavioral log data suggests that two or more such groups were active before the final group deployed a Lockbit ransomware payload earlier this year. A limited non-commercial version of VNC Connect is free. The two computers don't need to be the same type so you can use VNC Connect to view a Windows desktop at the office from a Mac or Linux computer. VNC Connect remote access and control software allows you to interact with a desktop or mobile device anywhere on the internet.Chrome Remote Desktop is cross-platform software for Windows, macOS, and Linux computers that allows users to remotely access another computer through the Chrome browser or most devices including Chromebooks.AnyDesk is free for personal use business use requires a subscription. AnyDesk allows you to make a remote desktop connection to access your programs and files from anywhere without having to put them on a cloud service.Designed for collaboration and information exchange, the free TeamViewer emphasizes private data, conversations, and meetings. TeamViewer controls another PC remotely.LogMeIn requires an account subscription on your computer. LogMeIn's premium features include file sharing, file transfer, and remote printing. LogMeIn gives you remote access to your PC or Mac from a desktop, mobile device, or browser.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |