Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

Ntirety’s Swift Response to New Microsoft Exchange Hack

Ntirety’s Swift Response to New Microsoft Exchange Hack

As many as 60,000 U.S. businesses and government agencies have been hit by a new hacking campaign exploiting vulnerabilities in Microsoft Exchange Server. Ntirety quickly identified the attacks, notified clients and partners, and responded with specific mitigation measures and remediations.

What Happened?

On March 2nd, Microsoft released security updates to address vulnerabilities after detecting multiple 0-day exploits used to attack on-premises versions of Microsoft Exchange Server. These attacks enabled access to email accounts and even more insidious installation of malware for long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China.

As of March 5th, Microsoft reports that the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”

Who is Affected?

Businesses and organizations running on-prem versions of Microsoft Exchange Server 2013, 2016, and 2019 were targeted in this attack. Exchange Online was not affected.

How Did This Vulnerability Work?

These vulnerabilities allow an attacker to bypass authentication, trigger remote code execution (RCE), and gain email account access. With account access, the attackers are able to harvest email content and deploy the malware that would enable more long-term access to their environment.

How Can You Mitigate Your Risk?

Start by running a vulnerability scan to determine if you are currently exposed by unpatched versions of the affected software – it is estimated that there are at least 125,000 unpatched servers worldwide. Even if you are currently not experiencing an attack, the best practice is to backup your vulnerable servers.

If you have any of the affected versions of Microsoft Exchange Server deployed on-premises, Ntirety can assist in applying the patches from Microsoft to cover the vulnerabilities.

What Has Ntirety Done in Response?

Ntirety’s cybersecurity operations teams are relentless in protecting clients and partners against attacks through multiple strategies and tactics, including:

  • Vulnerability Scanning: Ntirety has released authenticated vulnerability scan coverage to identify vulnerable assets.
  • Network IDS and Log Management: We have created detections for relevant Indicators of Compromise (IOCs) which allow us to find any compromises.
  • Log and Network-based Telemetry Signatures: Both of these were specifically created in response to the attack and are actively being threat hunted.

Ntirety is always committed to being a partner that’s constantly vigilant, ensuring you are covered through all cyber-risks.

For more information about the Microsoft Exchange hack or about how Ntirety can help your business respond, contact our Managed Security Services team.