A hacker gets their way onto one device (not too unusual these days). Then gets access across hundreds of other systems. The account that opened the door? From an employee who had died three months ago.
Full blown ransomware attack. Data (passwords, SSNs, credit card info, among other sensitive information) abused in future snatch and grab attacks. An entire company shut down for nearly a week—luckily, they were able to recover most of their files from backups.
This is not imaginary. This was a true story.
This past year, Nemty penetrated a network and took control of a domain admin account that had been left on (with credentials that had been unchanged). Could this happen to you?
Not that you’d be put in the same exact scenario of having an admin account wide open. One belonging to a deceased former employee.
What about the admin accounts on your network right now? On your clients’ networks? How secure are they? Could there be a chance that if a device were compromised you would have to clean up a big mess?
What if a forensic team linked the culprit back to an un-expiring admin account? Would they blame you for letting this happen?
All it really takes is any access to an admin account. From there they steal credentials for domain admin using programs like Mimikatz.
Here are the two big ways hackers are exploiting MSPs and their clients:
1. Auto-propagation—hackers steal credentials, keys, or other authentication tokens from memory or disk space. They then deploy ransomware on the infected system.
They spread across the network mapped drives, dropping, and executing ransomware using tools such as WMI (yes, we talked about WMI last week) and PowerShell.
They also may propagate using exploitations or targeting specific software or systems from which they spread, but stealing domain admin credentials is the easiest method, since they will be able to standardize their process across environments.
2. Targeted ransomware—once a hacker discovers information about your network or domain, they hunt down specific weaknesses in your environment.
Hackers will use tools like PowerShell to perform reconnaissance, identifying targets. They’ll use compromised software to deploy ransomware across your network. These hackers may deploy ransomware using Microsoft Group Policy Objects (GPOs) from a compromised domain controller.
Ransomware has really evolved from its origins of being encryption-only attacks. Now, you’d be lucky for simply getting targeted with encryption. More likely, you’ll see data exfiltration and data leaking as part of the ransom process.
Going back to that original story—the attacker gained access to the compromised admin account of that deceased employee and then spent nearly a month moving around stealthily across the environment, stealing credentials for a domain admin account and finding troves of data—nearly a Terabyte of data total.
The Take Home?
I really want you to think about your defenses in depth. Is your cyber stack and are your security processes working to keep you safe? Will you be able to withstand stealthy credential-stealing attacks? Will you get alerts or will you let the hackers persist?
One of the easiest ways to see if your network, systems and processes can withstand a hacker is to evaluate your cyber stack.
