Lately there have been more and more ransomware attacks, where companies are faced with their systems and data becoming encrypted, and forcing them to pay a ransom to get access back to their data. A couple of weeks ago I started to subscribe to https://shadowintelligence.io/ feed just to see how many companies that are getting affected (and I’m guessing this feed is just showing the tip of the iceberg) I get multiple emails each day, informing about new businesses that are being affected by ransomware.
Also seen that there have been some targeted attacks against Norwegian Parliament as well https://www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/ while we don’t know how the attackers gained access, we know some of the gateways such as Office 365, ADFS, BIG-IP is in use there.
Now looking in the attack patterns the different threat actors are using, it is a mix of the different examples described underneath here. This just showcases some of the ways that attackers can get access to your enviroment.
1: Exploiting known vulnerabilities to get access to the corporate network, such as exploiting vulnerabilities in remote access services (Looking at the vulnerabilities that have been with Pulse VPN, F5, Citrix NetScaler, Fortinet) and such it is a pretty long list. If attacks were able to utilize one of these they could get access to the inside of the corporate network. Also many of these providers also provide load balancing services and such and therefore be easy for attackers to manipulate load balancing services and expose them directly to the internet.
2: Access trough credential stuffing. This is where attackers are leveraging legtimate accounts to get access to the corporate network. This happens because user account information has been hacked, for instance if a user has used the same username and password for other 3.party websites and those sites get hacked. As an example of this, last week Norway Parliament was hacked trough E-mail. How the attackers got access is still not known, but looking at some of the representatives on the Norwegian Parliament on haveibeenpwnd.com showed that they like to reuse their account information for other 3.party websites as well.
3: Access trough brute-force attacks. What we have also seen from others is that attackers are performing password spray attacks, which are either going against Office 365 directly where they try to authenticate using legacy protocols which does not have the same protection mechanisms like the other authentication options in M365. Then a user login log might look something like this.
Microsoft is fortunately removing support for Legacy authentication protocols which will also limit the ability to do these password spray attacks. A Similiar attack vector to do password spray attacks can also be done against ADFS (Active Directory Federation Services) and especially if you are running an older version of ADFS such as 2012. With the newer additions of ADFS you have new features such as integation with Azure MFA.
4: Access trough compromised workstation or end-user machine. This can happen through a phishing email where the attackers lure a user to visit a website and download a payload or trough an attachment in an email. This can be trough an email from a spoofed domain to appear to be an email from an colleague or a legitiamate business. Also when looking at phising as the data shows, most kits have a short life, and the window of opportunity for most phishing kits is growing smaller. In fact, over a 60-day period, Akamai observed more than 2,064,053,300 unique domains commonly associated with malicious activity. Of those, 89% had a lifespan of less than 24 hours, and 94% had a lifespan of less than three days. Making it extremly difficult to block using traditional DNS protection services.
Now once an threat actor get’s access their approach differs. Some ransomware is just intended to spread and infect files that are available from the infected resources. Some threat actors will try to do lateral movement and try to gain elevated access to be able to 1: Infect as much as possible – Utilizing such as Domain Admins to infect all infrastructure and workstation within the domain, 2: Steal corporate data which they then upload somewhere and auction the data or hold the business “hostage”. Threat Actors that want to get higher level of prileve using different lateral movement techniques and tools to move around in the enviroment and in the end try to get access to a domain admin account.
Another issue that many companies have been facing when their systems got compromised and data was encrypted, was that their backup software also get impacted, which means that backup data was also encrypted.
So how can we protect our business completely from these kinds of attacks? First of it is important to map your enviroment and understand where those initial attack vectors are and determine the risk. Therefore I decided to split it into different sections and describe ways to reduce the attack surface and reduce the risk for ransomware in your enviroment.
1: Credential Stuffing
This is a brute-force attack technique, but instead of trying to guess passwords using “dictionaries” of common word combinations, attackers use lists of known valid credentials obtained from data breaches. As a company there are some tools and services that you can use to determine if user credentials have gotten compromised. 1: Is trough Azure AD Identity Protection, if you are using Azure AD as your main authentication service 2: Subscribe to haveibeenpwnd.com using domain search 3: Other tools like F-Secure Identity protection https://www.f-secure.com/en/home/free-tools/identity-theft-checker
Again to prevent future compromised credentials on 3.party websites, this is all about educating users about the risk of reusing usernames and password on other websites. Now regardless if we educate our end-users there will always be someone that forgets, so it is important that we have proper monitoring and logging in place to determine WHO / WHAT / WHERE / WHEN someone logged into our services. An example or monitoring tools that can be useful here is Azure Log Analytics which can be used to collect security events related to Active Directory and other services using other log formats such as Syslog.
Also important that you have properly configured Group Policy to ensure that important activities are logged into the security logs according to the baseline defined here –> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations (as part of Stronger Recommendation policy)
Using Log Analytics you can then see when someone logged in, and if combined with Azure Sentinel you can also provide ML to determine abnormal user behaviour to logon processes to services such as running RDP (https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)
Here is also an list of different hunting queries that can be used together with collected logs (https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/SecurityEvent)
Against Active Directory, Microsoft also has a specific product called Azure Advanced Threat Protection which monitors and analyzes user activities and information across your network, such as permissions and group membership, creating a behavioral baseline for each user. This is not an replacement for traditional logging but is useful to detect certain attacks and lateral movement inside your domian.
2: Brute Force Attacks / Password Spray Attacks
When it comes to brute-force attacks or password spray attacks. This is determined on what kind of services the attackers are trying to brute force, therefore I listed some of the identity solutions / services and lists some of the protection mechanisms that you can use.
- ADFS: Many organizations have been affected by password spray attacks, where they had an old version of ADFS configured which was not enabled with any type of MFA solution, and therefore open to password spray attacks. Attacks are also often trying a range of usernames and therefore makes it difficult to block specific users. The best approach is to 1: Enabled extranet smart lockout feature (https://support.microsoft.com/en-us/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016) and integrate with Azure MFA using the native integration https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
- Azure AD / Office 365: Within Office 365 the biggest attack vector with password spray attacks are attacks trough the legacy authentication protocols, disabling these protocols will make it difficult for attackers to do password spray attacks (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication)
- Other SaaS services: For other Web applications and services, it is important that you as a company try to standarize on a single iDP for your end-users. If you are using third party SaaS services, look to integrate those with Azure AD to provide a centralized idp solution. Secondly if supported collect logs and activity monitor logon attempts to those as well, some SaaS services support integration against Microsoft Cloud App Security to monitor abnormal behaviour.
- Web Applications: When you have public facing web applications, they can also become a target for attackers which they try to get access to. If you have load balancers in front of these services, many of them have HTTP DoS protection features which can be used to present a JS challenge to determine if the attacks are coming from a legitimate client. Again look at others ways that these services can be exposed, trough services such as Azure Active Directory Application Proxy, where services are behind Azure AD Identity services. Regardless on which type of web server it is running, it is important that http logs are also collected and analyzed by a centralized log system to determine usage of the service. If you are using NGINX for instance you can also implement rate limiting to slow down requests, https://bobcares.com/blog/nginx-brute-force-protection/ or have IP reputation features that can also block requests from “known” IP addresses.
- VPN / Remote Access solutions: An important part is that providing a VPN or remote access solution is having again a centrazlied identity service. If you are already using Azure AD for MFA services, then look to implement the same MFA solution against the remote access or VPN service which can be done using the NPS Extension to provide a RADIUS integration against the VPN provider https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn or an better solution is if the remote access solution supports SAML and can be directly integrated against Azure AD.
3: Exploiting Vulnerabilities
Protection against vulnerabilities are pretty simple but yet difficult, patching. This may sound simple, but most companies struggle since their enviroment is complex and lacking the visibility to see the threat landscape and also having the resources to follow this up. There have been many companies that got compromised because of an unpatched Pulse VPN software 6 months after the vulnerability became known, same has been the issue with Microsoft Exchange where there was a big vulnerability https://healthitsecurity.com/news/82-of-vulnerable-microsoft-exchange-servers-remain-unpatched. This means that organizations need to do one of two things.
- 1: Follow the current threat landscape and looking at the trends based upon services that are deployed inside the company, then patch when new vulnerabilities emerge
- 2: Outsource services, to a cloud service or to a trusted partner. Now the issue that many companies are struggling with is resource/expertise to handle this on their own. Using a cloud service as an alternative can be an option or that you use a service provider.
- 3: Having a threat and vulnerability scanning solution which can also provide insight into current threats to be able to easier see vulnerabilities in your organization. As an example here Microsoft provides with Security Center which can do threat detection on infrastructure and services, also together with Qualys provide application based vulnerability scanning.
4: Compromised endpoint
Now since most infections and cyberattacks starts with an email it is important that you have predefined security in place in your email service to block as much phising email as possible and also remove spoofed email from internal domains and also have scanning of attachments and URL’s in links to ensure that users are not tricked into running some form of payload on their endpoint.
Now there are a couple of things that need to be part of this security chain.
- 1: Email based security:
Here there are different security mechanisms that needs to be in place to reduce the amount of spam mail, such as looking into the DNS security. This is where some core DNS specifications to DMARC, DKIM and SPF which provides the following. Put simply, SPF, DKIM and DMARC are ways to authenticate your mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send email. When properly set up, all three prove that the sender is legitimate, that their identity has not been compromised and that they’re not sending email on behalf of someone else. These features can limit the use of spoffed emails looking to orginate from within your own organization and can therefore also limit the use of phising attacks. There is also an guide which showcases a lot of the security best-pratices for Office 365 and the surrounding ecosystem (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2MHP5)
Office 365 also has many different security mechanisms that can be used to decect and block email containing malicious attachments and malicious URL’s. These services are part of Office 365 ATP https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide
They also have anti-phising features which uses Machine Learning to detect abnormal behaviour https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide#exclusive-settings-in-atp-anti-phishing-policies
- 2: Endpoint based security
If the attackers managed to send an email which has bypassed all the traditional email security features then the next part is having features in place to ensure that the endpoint doesn’t execute the payload or be able to block the content.
The first aspect is having a client which is running anti-malware and EDR solution to be able to see process/files/registry changes and activity on the machines and also be able to block against threats either based upon signatures or other sandbox detection mechanisms. In many cases, new malware and payloads doesn’t need a lot of permissions or is a new variant and therefore undetected by many anti-malware providers which also means we need more layers of security. To showcase some of the features which can be used to provide protection in the different layers.
* Application Guard ( Which is now available for Browsing and Office –> https://support.microsoft.com/en-ie/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46 ) runs content in a locked down VM container which prohibits communication with host OS.
* Restricting PowerShell and logging activity –> https://www.digitalshadows.com/blog-and-research/powershell-security-best-practices/
- 3: Monitoring and logging
Now regardless of which service you are using for email, it is important to have proper logging in place to ensure you have visibility into email traffic and also see what is going on from an endpoint perspective. A lot of the ransomware payload today which is running on the endpoint which can start as an simple excel sheet or word document with a macro or a executable which runs a powershell script and psexec command to download more payload or communicate with other resources on the same network.
Office 365 provides an pretty extensive logging features which can be enabled (not enabled by default): https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide and can also be forwarded to Log Analytics or Azure Sentinel to provide a centralized log management service.
This list also showcases some of the different log sources that should be collected to be able to monitor for abnormal behaviour in a windows based enviroment –> https://www.cyber.gov.au/sites/default/files/2019-10/PROTECT%20-%20Windows%20Event%20Logging%20and%20Forwarding%20%28April%202019%29.pdf
- 4: Design to reduce infection to other parts of the infrastructure
So what if your endpoint is compromised and the attackers have managed to buypass all the security mechanisms that are part of your security platform? Historically endpoints have been bart of Active Directory and been one happy family. Which itsleft presents a problem, this means if that someone managed to compromise an account/device which has high level of access it will also automatically spread to other part of the infrastructure the users has access to.
From there they can also use a range of different tools and techniques to do lateral movement, essentially climbing further up in the infrastructure and trying to get higher level of access to systems. The end goal? to be able to infect/distribute their ransomware to as many end-users/devices as possible. Such as the operators behind the MAZE ransomware use a combination of tools such as Bloodhound and PingCastle to map and understand customers Active Directory structure. They also often leverage tools such as Procdump and Mimikatz to collect end-users credentials for a later stage attack.
Once the attackers get high-level access to a set of privileged user accounts, they strike. Using a combination of different built-in functionality and tools to propagate the ransomware. The attackers often use tools and built-in features like
- Group Policy
- Administrative shares, Network Shares
- Microsoft PsExec tool
- WMI, SMB or other remote tooling to deploy the payload/executable
- They have also been known to leverage unpatched exploitation methods (e.g., Eternal Blue – addressed via Microsoft Security Bulletin MS17-010).
Which they then use to distribute the ransomware across clients, servers and data in the organization to infect as much as possible.
Much of the technique they use to distribute their ransomware is possible because of the way Active Directory is configured and has historically operated, where end-users and devices have been part of a large trust-based architecture. Which means that if you are on the inside you can based upon the arhicecture get access and SSO to resources as long as you have access.
One way around this is building an architecture using Azure Active Directory.
Moving end-users and devices to an Azure AD based management, means that devices are no longer part of the Active Directory domain. Much of the innovation and development that Microsoft is now doing is within the Windows 10 and the ecosystem. Also seeing that moving forward Azure AD will be centralized management service as will replace Active Directory.
Moving devices to Azure Active Directory means that we can use conditions to determine if a user/device should get access to data and applications. Looking back an example with an infected device, we can with Azure Active Directory have Conditional Access Policies which are then used to determine the health of the device and user to ensure that there is no risk before they are allowed access to the data. With the machines being Azure AD based, it means that attackers cannot directly leverage lateral movement techniques against admin shares and network drives using regular SMB protocols or tooling like Group Policy.
Azure Active Directory also collects health/risk information from multiple sources to determine the risk of the user and the device the user is coming from, such as Defender ATP, Azure ATP, and Microsoft Intune. These in turn can be used to determine if the user or device are allowed to access data or an application.
Another part to reducing the impact of ransomware attacks, is that data should be moved away from traditional file servers to a type of cloud-based storage solution such as OneDrive For Business where you have versioning capabilities, there are few ransomware attacks that affects cloud-based storage from an end-user client. Secondly storage services which are integrated with Azure AD means that we can have the same security mechanisms in-front of storage services as well.
5: Protecting backup services
If we manage to move to a full Azure AD based management for our end-users and clients, many servers and applications might still be dependant of Active Directory. Therefore it is also still important if you want to protect against ransomware attacks that you
- Have an Active Directory disconnected backup solution (reduces risk for lateral movement)
- Have an offline backup (reduced the risk that backup data is also encrypted)
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. This can be easily done using Cloud based backup solution as an cheap offsite backup option, such as Azure Backup or Veeam Backup.
- Verify backup data integrity and that you have a Disaster Recovery plan.
- Also there are different features in M365 and Windows 10 you can use to reduce the risk of ransomware attacks or the effect it has –> https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide
The most important part is educating the users so they can identify social engineering and spear-phishing attacks. Since the initial compromise often happens trough email or malicious websites, but again a topic for another section.
Now the final advice I want to give, is just a copy of the conversation between a company and the ransomware support team after the infected business paid the ransom. Where the “support” team posted a list of different recommendations.
And note that no infrastructure is non-hackable, and as Microsoft mentioned from time to time, assume breach and that you align security thereafter. How to monitor and prepare if an attack happens and secondly even if your enviroment might not be non-hackable, you can atleast make it extremlly dificult for someone to get access with the advise listed above.