The story of one hack or learn from other people’s mistakes

There should be a worn out quote from Nietzsche about strength, but we did not write it.

One day this can happen to any system administrator – he comes to work in the morning, checks the infrastructure and finds that on the file server, instead of user data, there is an archive and a text file with a ransom demand. What to do, how to live on and how to prevent recurrence, we understand this article.

A case that happened to the infrastructure of a company that is built on a Windows PC is considered. So, our hero discovered in the morning that on the file server, instead of user files, the archive data.zip and readme.txt. The archive was password-protected, and in the textbook there was a standard requirement to transfer a hefty amount to a bitcoin wallet, send a confirmation of the transfer to the specified mail and receive a password in response. As our ancestors bequeathed to us, they did not enter into negotiations with terrorists, but time passed, and the data had to be restored.

When the situation happened, the task pool got up:

  • Recover data
  • Set hacking route
  • Prevent recurrence

With data recovery, everything is simple – a night copy is our everything. Just in case, we went through the utility for recovering deleted files, but in vain, Eraser clearly worked on the disk. So we set to roll out a backup copy and move on to the point about establishing a hacking route.

We start by examining the “evidence”. The dates of creation for the files are approximately the same and as the creator – the local administrator, nothing more interesting. Let’s move on to the operating system. In addition to the administrator, the users have an incomprehensible Kelly user with administrative rights. Already more interesting! We look further. Changed network settings – Google addresses are specified as DNS. This is all well and good, but the file server does not have a direct Internet connection, so it is not clear how the attacker got to it. Yes, you can get to the server through RDP, but this RDP does not look outward. We are looking further.

The company has a terminal server for employees working remotely. We examine it. There are a lot of brute-force logins in the security logs, but nothing more suspicious. There are no unnecessary users in the system, the settings have not been changed, everything is clean.

Since we are talking about remote employees, we raise the lists of such employees and see how their workplaces are set up. Some of them work on the already examined terminal server, and some on their PCs. And here the entry point was found. On the PC of one of the designers, there was a local user Kelly with administrative rights and in his downloads folder there was a WinRar distribution kit with which the data was archived and there was an Eraser for erasing. Okay, we found the point, but how did you get on the car and how did you get on the file server?

A detailed inspection of the designer’s machine revealed that network-level authentication was not enabled in the remote access settings and, in addition, the operating system had not been updated for a long time. So, presumably the attack vector was the following: scan the port behind which the RDP access is hanging and investigate it for vulnerabilities at the user verification level. Then, using a vulnerability in the system, execute the code that starts the user Kelly and log into the PC. After that, an archiver is thrown onto the PC, Eraser – and it’s up to researching the infrastructure and performing malicious actions. It is worth noting here that in this particular case, the company got off cheaply – the employees got in only for the time of restoring files from a backup copy and that’s it. Well, the administrator, of course, was handed over for negligence. But attackers could go further – databases or documents with data could not be encrypted, but moved out of reach. And finally, the backups themselves – it’s good that we didn’t get to them.

Now the most important thing is how not to become the hero of such an article. Everything is really simple here: the main thing is vigilance. Check yourself against the checklist:

  • All operating systems have all the latest updates
  • Control all points of entry into the infrastructure
  • Don’t use simple passwords
  • For password authentication, deploy a policy to use only secure passwords
  • Expand sign-on by certificates if possible
  • Rename administrative accounts where possible
  • Use principle of least privilege
  • Internal firewall
  • Corporate antivirus
  • Offline data copy
  • Monitor increased attention to your perimeter and react

What is meant by these recommendations.

Updates to operating systems not only add functionality, but also close vulnerabilities that could be exploited by attackers. It is important to understand that you should not only update the operating system, but all the software that is used in the workplace.

By controlling the exit points to the outside, it means that you always need to know who, for what reason and how gets into the company’s network from the inside. There should be no situations when RDP is sticking out of the accountant’s machine on a standard port.

Hundreds and thousands of articles, posts and notes have been written about the need to use secure passwords. But people are divided into those whose passwords were picked up and those who changed them to more secure ones. Let’s say it again – the length is from eight characters, the mandatory use of upper and lower case letters, numbers and special characters. Ideally, use a generator, of which there are a lot, both in the network, and built into the nearest password manager.

And when we are talking about secure passwords, the policy should not be advisory, but mandatory. Active Directory Group Policies allow scripts to force users to change their password at specified intervals. In addition, a policy is set for the minimum password length and the number of passwords used, so that the user does not use two policy-safe passwords, simply changing them as they become obsolete.

Strong passwords are good, of course, but even better – certificate access. Yes, it is more difficult to deploy, inconvenient in places, but it is safe. Think about it, perhaps the cost of implementing a PKI infrastructure will be less than the cost of recovering data lost in a hacker attack.

Renaming administrative records helps against a dictionary attack on accounts like Administrator, Admin, Administrator and Admin, which are present in systems by default and are rarely blocked. Renaming administrative accounts to a random set of letters and numbers will prevent such an attack. Of course, this step will entail the introduction of, if not a global password manager, then at least a password registry.

The principle of least privilege teaches us not to grant unnecessary rights to perform assigned tasks. A service that, for example, cleans user profiles from temporary files, in fact does not need administrative rights to the file server; it only needs rights to delete files in the profile store. Moreover, it is for removal. You don’t need permissions to change files either. This will save you from the problem that will arise in case of compromise of credentials, both service accounts, and generally reduce the front of the attack on your infrastructure.

The principle of least privilege also fits into the presence of an activated firewall on user machines and servers. We leave only the necessary, and turn off or prohibit the rest. If possible, we do not respond to incoming connections. Nothing more is your motto.

Use an antivirus. Yes, users and system administrators always complain that antivirus interferes with their work, slows down performance and this is an extra waste of company money and computing power of computers. But the lack of antivirus will sooner or later play its role and one day the user will launch the file from the letter and decrypting the files will cost much more than a corporate license for an antivirus complex.

It was mentioned above that it’s good that we didn’t get to the backups themselves. You should always have a copy that is taken out of the infrastructure and access to such copies should be as limited as possible. It is expensive to keep such copies up to date, but users will be more happy with files of even quarter prescription than complete loss of data.

And finally, read the access logs – they contain a lot of interesting things. Implementing a full-fledged intrusion prevention system is expensive, but there is a lot you can do with your own hands. Analyze the addresses from which port scan or credential brute-force is being sent. Check users’ machines and servers regularly for malware.

Of course, even full adherence to these recommendations will not give you a 100% guarantee against hacks, but at least they will reduce the percentage of risk. And do not forget about training employees, because even the most secure system turns out to be defenseless with a complete lack of understanding about the consequences of certain actions. If an employee entered his accounts on a phishing form, then no matter how secure the system is, then the employee has already been compromised. If the access is from an infected machine, then you yourself launch malware into your network. Always be careful, neglect of safety can cause significant damage not only to the employee, but also to the company as a whole.

Now a little about why this was not done in this case. Here, too, everything is simple, like a TM pencil – the designer’s workplace was deployed using a pirated assembly. Please don’t make such fatal mistakes. Firstly, it is illegal, and secondly, you lose more resources when you clean up the consequences of such neglect of your IT infrastructure. Take care of yourself and your data. And if you have something to add on the checklist or on the situation as a whole, then you are welcome in the comments.


Advertising

Our company offers secure servers with free DDoS protection. The ability to use a licensed Windows Server at plans with 2 GB of RAM or higher, creating server backups automatically or in one click.
We use extremely fast server drives from Intel and do not save on hardware – only branded equipment and some of the best data centers in Russia and the EU. Hurry up to check;)

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *