: 2nd June 2020 - Evening
Because not all security incident response and forensic investigation are created equal, the COVID-19 pandemic presented several unique cyber incident response challenges.
On 2 June 2020, a Sangfor customer in the Philippines was attacked by a ransomware and requested Sangfor investigative assistance, identifying the initial attack vector and fixing the weaknesses discovered. This is actually a very responsible practice, as most companies focus on restoring business operations, and overlook the importance of lesson learned.
As the time for investigation was very limited and Sangfor has no both physical or remote access to the customer’s environment, Sangfor decided to provide remote instructions to assist in locating the initial attack vector and determining the kill chain.
First, Sangfor asked that the customer perform the following steps:
- Contain the infected host by unplugging the cable
- Take a screenshot of encrypted files
- Take a screenshot of ransom notes
- Collect the event viewer logs from “%SystemRoot%\System32\Winevt\Logs”
Why does Sangfor suggest performing these steps? The purpose of containment is to isolate the infected host and disconnect it from the network. This prevents the ransomware from spreading and propagating within the network and to prevent attackers from using the infected server as a jumping-off point to attack other machines in other network segments, using pivot attack techniques. On the other hand, the purpose of having a view of encrypted files and ransom note screenshots is to attempt to determine the ransomware family, based on its encrypted file extensions and the ransom note.
The customer sent Sangfor the following screenshot:
June 2nd, 19:15
Unfortunately, based on the screenshots provided by the customer, there’s no direct indicator for Sangfor to determine the exact ransomware family. However, based on the behavior, the ransomware looked like a variant of the Phobos
ransomware family. The screenshot also shows that the Microsoft Windows Malicious Software Removal Tool didn’t manage to detect any malicious software, perhaps due to the attacker removing all malicious files after the ransomware was successfully executed.
June 2nd, 19:30
The next step was to identify the initial attack vector and how the attacker gained access to the compromised machines. Sangfor determined that most of the files were encrypted on 2-6-2020 at around 7:00 AM, and used this information as a jumping-off point to investigate the event viewer logs, focusing on the encryption time.
Based on the event viewer, Sangfor discovered suspicious logs on the terminal service of the infected machine. It seems that someone is remotely accessing the infected machine with the username "systern
.” Take a closer look - it is the word “system” spelled incorrectly, with the characters “r” and “n.” Most attackers use this kind of homograph-like technique in an attempt to spoof the identity and not to raise the alarm of the system administrator.
June 2nd, 20:00
Upon confirmation with the system administrator and after checking the creation time of the user account, Sangfor confirmed that the user accounts “systern,” “kingdee,” and “PRINTTEMPLATE” were not genuine user accounts created by the system administrator.
In addition, based on the event viewer log, there was a continuous SMB brute force attack from the public network or Internet. However, the earliest time recorded by the security log is 2:05:09 PM, potentially indicating that the attacker had cleared his or her tracks by removing the evidence logs from the event viewer while executing the malicious software or ransomware.
It seems that there were SMB request attempts from an external IP address which were rejected, due to an incorrectly signed message.
June 2nd, 20:15
Upon further investigation, the IP address which originated from Brazil was categorized as a known blacklisted IP address by the VirusTotal threat intelligence engine.
June 2nd, 20:30
Unfortunately, the challenges of investigation did not end with the incident response teams inability to have remote access. Most evidence had been removed by the attackers, but the investigation process became more difficult when the customer decided to stop the investigation and proceed to shut down the server, due to the limited hours enforced by a nationwide COVID-19 lockdown. Sangfor had no choice but the stop the investigation process.
Although, Sangfor was not able to complete the investigation process and conclude their analysis of how the attacker compromised the machine, based on the information on hand, Sangfor made the following informative statements:
-Server's SMB (445/TCP) and RDP (3389/TCP) ports were exposed to Internet
-Attackers performed brute force attacks on these ports with username "Administrator" with an automated script
-Once the “Administrator” password was successfully brute forced, the attacker created a new user with username "systern", as a backdoor
-The username “systern” was escalated to administrator privileges
-The malicious username "systern" last changed its password at 6:56:15 AM and had remote access to the host at 6:57:35 AM, to start executing the ransomware and encrypting the files
-The files were first encrypted at 7:11 AM
-The malicious username "systern" logged off at 7:33 AM
-The event log before 2:05:09 AM had been erased
Some of the risks that Sangfor discovered were:
-High risk ports exposed to Internet
-Insufficient monitoring mechanisms for health checks and user creation systems
-Insufficient complexity of administrator password
-Lack of a security log management system
Through this situation, we learned that not all investigations end with perfect results and conclusions. There were a number of unique challenges that Sangfor faced and a number of unusual techniques that attackers used to bypass the alert and security controls of the organization.
Refer to the following link for more information on a ransomware protection best practice guide to strengthening and improving your protection mechanisms and overall security status.