Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts. It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks.
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware.
In a case study, (here) documented by Sophos' cyberforensics group Rapid Response on 26 January 2021, an organization reached out after being infected by Nemty ransomware.
According to Sophos, the ransomware, also known as Nefilim impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key.
Nemty has been observed being delivered using:
- Rig Exploit Kit in September 2019
- Paypal dummy sites
- RDP attacks through affiliates in their campaigns
- Botnet: Distributed through Phorpies botnet in November 2019
- Loader: SmokeBot
First detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) variant of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code's future development for select partners.
During an investigation into the source of the infection, Sophos narrowed down the original network intrusion to a high-level administrator account. Over the course of a month, the threat actors quietly explored the company's resources, obtaining domain admin account credentials and exfiltrating hundreds of gigabytes' worth of data.
Once the cyber attackers had finished their reconnaissance and taken everything of value, Nemty was deployed. The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyber intrusion.
Instead of revoking access and closing down the 'ghost' account, the firm chose to keep it active and open "because there were services that it was used for."
Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead. In addition, the team says that zero-trust measures should be implemented companywide to reduce potential attack surfaces.
In another case noted by Sophos, a new user account was covertly created on a corporate network and added to a domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
TR-21-028-001_ghost_accounts.pdf
Comments