It was the first day of a long weekend when the first alarm notification was received. One of our client’s laptops had detected malware. Initially, it seemed like an isolated incident – perhaps a careless click on a phishing link. But, as our team investigated, the situation unfolded into a full-scale cybersecurity nightmare resulting in all the client’s servers being locked with crypto ransomware.
We had worked with the client initially to identify some areas they needed to investigate along with proposed improvements to mitigate their risk. However, like many small businesses in New Zealand, the client did not feel they were at high risk of being attacked. Unfortunately, the worst did happen to them, and this incident highlights several critical vulnerabilities and lapses in security measures that the attackers exploited.
In the diary of our Senior Security Consultant – Glenn Nummy, he writes about how our team worked through the incident, investigating and identifying when and how the cybersecurity criminals made their calculated attacks. Follow the incident below as it unfolded.
Day 1 – The Critical Weekend
From that first alarm notification, I began piecing together the logs of breached security protocols and a clear picture began to emerge. Thankfully the client had been keeping consistent logs for up to 6 months before the attack, which made it easier to piece together what had happened in this incident. The attackers had not just stumbled upon our client; they had chosen them specifically because of a known vulnerability.
The servers, critical to the client’s operations, lacked endpoint protection. Although this was an area of weakness we identified with recommendations made to reduce their risk, the client decided because the servers were not being accessed by unprivileged users, they would only add endpoint protection to their network laptops. This left the servers exposed. The client had also left their web admin access page open, so the firewall was open to all public addresses, and unfortunately, the ‘Trusted Hosts’ setting was not enabled. These oversights ultimately allowed the attackers to create a backdoor into the client’s network.
Week 1 – Unravelling the Attack
The attackers had patiently waited for the perfect moment to strike – a public holiday over a long weekend, knowing well that system surveillance would be minimal. They executed a ransomware attack that locked all our client’s servers, encrypting everything! The backups, which should have been step one of their incident response plan, were also destroyed. Fortunately, a random and unrelated backup made earlier in the week by chance ended up saving the day, albeit only temporarily.
Week 2 – Forensic Deep Dive
The true extent of the attack came to light through an intensive forensic investigation I performed for the client. The attackers had used the public holiday weekend to deploy ransomware, but from the activity I was able to piece together, it was clear that their preparation began much earlier, in fact, it was almost 6 months since they first gained access! There was no noise, suspicious activity or alarms triggered from when they first gained access. The attackers moved with stealth and remained undetected.
From the logs, I could see the attackers had exploited a patched firewall vulnerability, gaining access one day before the client team applied the required patch. The attackers created a VPN account where they likely brute-forced the domain controller, or monitored traffic, to get passwords as they came through the firewall. To the attackers, the client was “low-hanging fruit”. It was clear that the attackers had patiently monitored the network, waiting for the right vulnerability to exploit.
The Impact
- Operational Disruption: The encryption of all servers caused a significant halt in operations, leading to downtime of 3 to 4 days and loss of revenue.
- Data Integrity: The encryption of their data lead to data loss as their full backups were compromised.
- Security Breach: The extended undetected presence of the attackers within the network raised concerns about data exfiltration and other potentially malicious activities.
Month 2 – Learning and Rebuilding
In the wake of the attack, the focus shifted towards recovery of data and rebuilding stronger defences. We recommended robust endpoint protection and suggested the client establish a stringent patch management policy. The client firewall settings were overhauled to allow access only from trusted hosts, and advanced network monitoring tools were deployed to ensure that any unusual activity could be detected and addressed swiftly.
Month 6 – Reflection and Vigilance
Looking back, the attack was a wake-up call for our client. It highlighted the importance of proactive security measures and the dangers of complacency. We now conduct regular security awareness training for all their employees, emphasising the role of everyone in safeguarding the business’s digital assets. Our client’s recovery was not just about restoring data but getting better prepared and rebuilding trust – trust in their systems, their processes, and, importantly, in us as their partner.
These diary entries are not just a recount of a cybersecurity incident; it’s a stark reminder of the realities of cyber threats. For business owners, it’s a call to action to assess your security posture, understand your risks and vulnerabilities, and implement robust security measures to reduce your risk.
Don’t wait for a breach to happen; prepare now as if you’re already compromised so your team know how to react if the worst does happen. The integrity and continuity of your business depend on it.
If the thought of your small/medium size business being crypto ransomwared makes you feel sick, get in touch with our team of cyber security specialists for a chat.
Get in touch
Author:
Glenn Nummy
Glenn is a Senior Security Consultant at Lexel, with over thirty years of experience in Information Technology. The last twenty years he’s focused on Network and Security across a number of disciplines including higher education, government & private industries.