A disturbing new trend in cyberattacks has started to become prevalent. Recently, a beverage manufacturer was hit by a ransomware virus; however, what’s new here is it was remotely installed using an administrator account. While ransomware has traditionally been delivered by email, this could signal a new attack vector we need to protect against.
This isn’t an entirely new attack. The perpetrators used systems already on the machines to launch the attack. These are known as “living off the land” attacks, which have become increasingly common. Doing this allows them to sneak past security controls by using pre-set, trusted components in a system. Attacks like these can be hard to defend against, but there are steps you can take to reduce your risk of a successful attack.
Before I get into that, I want to walk you through the recent attack.
Researchers at Trend Micro found the attack started with a compromise on the system. They haven’t specifically reported when or how that compromise occurred, but this initial compromise allowed the perpetrators to kick off the rest of the attack. Next, they used PowerShell Empire, an agent that can be used after exploiting a system, to tunnel into specific machines. From there, they compromised administrator accounts, and used them to install the BitPaymer ransomware using PsExec, a tool currently owned by Microsoftthat allows users to remotely execute processes on a machine.
BitPaymer avoids detection using alternate data streams (ADS). ADS is a component of NTFS, the Windows NT file share system, and allows people to create a second data stream in a file that’s usually hidden (although there are multiple tools for reading alternate data streams). Cybercriminals often use ADS to hide malware within legitimate files, making it hard for some security tools to detect.
While this style of attack makes it challenging to detect the threat, there are steps you can take to help protect your customers.
I’ve always said a well-managed environment is a secure environment. Keeping track of your admin accounts and implementing least privilege can help you mitigate the chances of a ransomware attack launching from a compromised admin account. And if you have monitoring in place, you can further reduce your risk.
These types of attacks won’t go away—in fact, they’re only likely to increase. So make sure you’re prepared by vigilantly managing your customers’ environments.
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.