Hacker in dark room showing LockBit ransomware attack on government agency network

Threat Actors Lurked on a Government Agency Network for 6 Months Before Deploying LockBit Ransomware

Attackers breached the network of a regional U.S. government agency and lurked in the network for six months before deploying LockBit ransomware, Sophos researchers found.

The intrusion involved a seeming novice attacker who gained the initial entry before transferring control to a more sophisticated threat actor who deployed ransomware.

The attacker searched for free hacking tools using the compromised server, sometimes self-infecting with adware from dodgy download sites.

Additionally, they tried to maintain persistence by creating user accounts and installing free and commercial remote access tools.

Government agency compromised via open remote desktop protocol ports

SophosLabs researchers said the compromise method was nothing spectacular. The attackers gained initial entry into the government agency network in September 2021 via open RDP ports on a network with a firewall configured to provide public access to the server.

Sophos says that the government agency’s security team made strategic mistakes that allowed the attackers to spread laterally and access internal resources. This happened after a technician disabled Sophos Tamper Protection during a maintenance procedure.

“With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega.”

The Sophos research team stated that deploying MFA and creating firewall rules blocking remote access to RDP ports would have stopped the threat actor.

The hacker downloaded various tools for scanning, brute-forcing passwords, file management, command execution, and a cryptominer. The use of freeware such as PsExec, FileZilla, Process Explorer, and GMER was also evident in the compromised government agency network.

Additionally, the attackers installed free and pirated versions of commercial remote access tools such as ScreenConnect during the initial and AnyDesk in the latter stages of the attack.

Sophos Labs Principal Security Researcher Andrew Brandt painted a picture of a confused novice hacker with no urgency or plan on how to proceed.

Consequently, they would leave the system unbothered for days, including public holidays. For the most part, the attacker was content poking around and creating a few accounts on the initial entry machine or others.

“The goal of the hacker is to stay persistent in the victim’s enterprise,” Garret Grajek, CEO at YouAttest. “In this way, they can laterally move across the network and discover resources worth exfiltrating and/or ransoming. Given that hackers are playing the “long game”, – the hackers are willing to “go slow” as they explore the enterprise. ”

The attacker relied on Google search and shady download sites infested with adware and unwanted programs. Sophos said the unintentional self-infections added noise to the logs. Other activities included opening random files and performing speed tests on the compromised system.

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said the effortless compromise of the government agency was a reminder that attackers exploit simple and avoidable errors.

“In this case, there were many failures by the organization that were the equivalent of rolling out the red carpet to the attackers,” Clements said. “Leaving RDP access open to the internet is extremely risky. Automated bots routinely scan the entire internet for open RDP servers to brute force with common accounts and passwords.”

Clements predicted that the situation would have been a “game over” for a sophisticated attacker, considering that an administrative account with network privileges was compromised.

“The fact that the attacker was able to compromise an administrative system account likely means that a relatively simple password was in use,” he added. “Modern wordlists attackers use to attack passwords, many of which are publicly available, can be surprisingly good. They aren’t just guessing ‘password’ anymore, but also commonly used substitutions like ‘pa55w0rd’ and permutations like ‘pa55w0rd2022’.”

Second-stage attacker deployed LockBit ransomware but failed to encrypt all files

The attack sequence changed after the fourth month in mid-January, when an experienced attacker joined the fray. The sophisticated attacker began by installing Mimikatz and LaZagne post-exploitation tools.

However, the attacker attracted the security team’s attention by deleting logs, rebooting servers remotely, and disabling the security software.

“Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,” Sophos said.

Sophos blamed the network defenders for not heeding the warning and allowing the attacker to successfully execute Mimikatz.

Subsequently, the attackers dumped network account credentials and executed network scanning tools in preparation for lateral movement. The attackers also checked their RDP abilities and created new user accounts to maintain persistence and avoid dislodging.

Sophos says the threat actor successfully accessed sensitive personnel and purchasing files within minutes on the first day of the sixth month.

The cyber security firm joined the government agency network response team and helped shut down at least 60 servers and perform network segmentation.

However, the threat actor had begun encrypting the network with LockBit ransomware. Luckily, the team recovered some files on some computers because the LockBit ransomware had only renamed them without encryption.

“The attackers then collected and exfiltrated data and deployed the LockBit ransomware. The ransomware attack had limited success, and the attackers failed to encrypt data on some machines,” said Sophos.

According to CISA, LockBit ransomware compromises organizations via purchased access, insider threats, unpatched vulnerabilities, and zero-day exploits.

Sophos did not disclose the identity of the group that compromised the undisclosed government agency. Being a ransomware-as-a-service, LockBit ransomware appears in many ransomware attacks by various affiliates. LockBit’s affiliate program is one of the most successful, and its encryption technology is among the best.