Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2020-02-11) Fox-IT Report Available On Cyber Attack Against University Of Maastricht

Posted by Jorge on 2020-02-11


On December 23rd 2019 a cyber-attack occurred against the University of Maastricht. Fox-IT, a Dutch security company and part of the NCC Group, supported the University of Maastricht and in the end wrote a report with the findings. The University of Maastricht made that report publicly available so that others could learn from it. Kudos to the University of Maastricht for sharing this information.

The report is in Dutch and can be found through: https://www.maastrichtuniversity.nl/file/49715/download?token=B0jN2wyV

If you do not understand Dutch, or do not want to read the full report, below you can find an extract in English of that report. Please be aware that the text below is a summary of the Dutch report written by Fox-IT. This summary may lack the required (detailed) context that is available in the report.

High Level:

  • Cyber-attack on December 23rd 2019
  • Infrastructure of 1647 Linux/Windows Servers and 7307 workstations. Attack against part of the infrastructure, 267 servers in the AD domain (e.g. domain controllers, e-mail servers, file servers, backups servers)
  • Attacker focused on encrypting data in the AD domain to demand ransom in the end. Part of systems were compromised, incl. (online) backups

Environment:

  • University of Maastricht
  • Public organization, with 4500 employees, 18000 students and 70000 alumni
  • Infrastructure contains multiple server (types) and workstations that are not (fully) controlled by central IT
  • Part of the infrastructure centrally managed and part decentrally managed by faculties, and both connected to central network
  • Workstations are desktops, laptops and VDIs. VDIs accessible through thin-clients and browsers

Lessons Learned

  • Multiple phishing mail variants received. Because phishing mails looked similar, one variant did not get enough attention. Better detection needed
  • Signed macros only. Phishing mails contained links to Excel files with unsigned macros
  • Improved processes for vulnerability and patch management. Keep systems up-to-date and make sure updates are installed successfully. Attackers used vulnerabilities in software (Eternal Blue Exploit). (e.g. One patch was not installed because its installation had failed.)
  • Better segmentation of the AD domain (tiering and delegation) and implement secure configurations as much as possible, and get rid of insecure configurations. Default domain admin account was used for work on regular servers (was against existing policy!). Due to a compromised server and usage of a very powerful account on that server, AD domain was compromised too. Malware and ransomware got installed after that using default domain admin account
  • Better segmentation of the network itself. Current network has multiple VLANs, but still too open. Due to that openness of the network it was still too easy to move around. Stricter segmentation would have made it more difficult to move around by the attacker
  • (Better) 24/7 monitoring/logging through SIEM and SOC. Signals with unusual patterns, peak activities and/or high risks need to be filtered and detected better/easier/earlier and become more visible from the huge amount of data (per second 30000 breach attempts blocked, 1400 malware attacks stopped, thousands of signals a day in multiple logs). Implementation of end-point monitoring and network sensors started to detect traffic and distinguish between regular and malicious traffic (both incoming as lateral movement) (was already planned before breach to do so)
  • Up-to-date and clean CMDB. During recovery lots of time was invested to determine impact on systems/environment. View on active systems and decommissioned systems was not good enough, which made it more difficult to get understanding of actual status
  • Multiple backups, both online for quick recovery as needed and offline availability of backups to make sure these remain uncompromised. Due to having only online backups for quick recovery when system(s) became unavailable, the backups were also encrypted
  • Make sure to have incident response plans for different scenarios and keep it up-to-date. On planned basis, practice different crisis scenarios and improve plans as needed
  • Increase security awareness of both employees as students

More details (not in structured order):

  • Compromised system is system with attacker activity of malware traces. 269 servers were determined to be compromised
  • Compromised account is account used by attacker, after forensic analysis. 5 accounts were determined to be compromised
  • Next to Windows systems, Linus and OS X systems are in use that were not touched by the attack. Attack focus was Windows servers
  • 2 phishing e-mails opened on October 15th and 16th 2019. Phishing mails contained links to Excel file with Macro that downloaded malware (SDBBot) from server on internet.
  • Multiple systems compromised between October 16th 2019 and December 23rd 2019
  • On November 21st 2019 attacker gained access to infrastructure through a server that was missing security updates (vulnerable for Eternal Blue exploit)
  • On December 23rd 2019, "Clop-ransomware" was deployed to 267 Windows Servers. "Clop-ransomware" uses RC4 encryption algorithm. RC4 key is generated randomly per file and encrypted with an RSA 1024 bit public key. Only the attacker has the private key. All encrypted file received the “.CIop” extension and in every folder the file “CIopReadMe.txt” with instructions was added
  • After thorough analysis of the breach, ransom was paid on December 30th 2019
  • Traces were found that attacker gained information amongst others about topology, servers, usernames and passwords
  • Carbon Black was installed by security company and used to get insights on traffic and activity. Installation was initiated on compromised servers followed by non-compromised servers and workstations (more than 90% of systems were covered by this tool)
  • Focus was on quick recovery of functionality, but also safeguarding all kinds of research information to be able to perform forensic analysis at a later stage
  • With forensic analysis, attack path and scope or attacker was made visible
  • Counter measures to stop attack (amongst others): close network traffic to and from internet, and to and from WIFI networks, reset passwords of all accounts (admin, service, regular)
  • Network traffic gradually being allowed again after setting up monitoring/sensors
  • Definition of so called crown jewels determine the priority of recovery
  • Malware communicated on regular basis with home server (every 15 minutes) and registered itself to become and remain persistent, event after reboots. Through this malware other tools (Meterpreter) were used for interaction. Meterpreter was installed on other servers (2x Windows Server 2003 R2 lacking the MS17-010 patch, 1x Windows Server 2012R2 and 1x unnamed), most likely through the Eternal Blue exploit as those servers were vulnerable for it. Other unnamed server was not vulnerable for Eternal Blue exploit, but still got infected somehow. Patch KB4525243 prevents the Eternal Blue exploit
  • PowerSploit was used for reconnaissance of systems/network and vulnerabilities
  • PingCastle was used to get graphical view of AD structure and misuse weak configurations
  • Cobalt Strike with mimikatz was used
  • SAGE.EXE was “installed” on 4 servers and was used to distribute ransomware and at the same time turn off Windows Defender, all through the use of the default domain admin account. On one server antivirus detected and removed SAGE.EXE. In the end attacker removed antivirus and reinstalled SAGE.EXE. Later antivirus was removed from other servers too
  • Attacker activity was already detected in earlier stage and send to central log server. Unfortunately those detections were not proactively taken care of or actioned upon (Windows Defender detected, removed (and logged this) PowerSploit) (Antivirus multiple times detected and logged use of Cobalt Strike and Mimikatz, but did not stop due to “observer/audit only mode”)

Info about attacker:

  • Group “TA505” or “GraceRAT” or “Dridex-RAT-Group”
  • Use Clop ransomware
  • Targets orgs with AD
  • 150 victim orgs in 2019
  • In period 2014-2017 attacker focused on attacking orgs in financial sector in EU as USA
  • In period 2017-2019 attacker focused on attacking financial orgs with creditcard issuing systems in South- and Central America, Africa and Central and Southeast Asia.
  • Attacking orgs in financial sector still takes place

Modus operandi attacker:

  • Infect systems through phishing mails
  • Identify org
  • Lateral movement within network
  • Remove and encrypt backups
  • Deploy ransomware on as many systems as possible
  • Demand ransom per e-mail (amount depends on size of org)

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: