Attackers unleash LockBit ransomware on US government computers

According to Sophos, the route of attack stemmed from vulnerabilities in the system’s open firewall ports.

New findings from cybersecurity company Sophos show some of the methods employed by hackers when it comes to exploiting gaps in federal devices. One attack highlighted in the report found that ransomware groups spend at least five months combing through a regional U.S. government agency’s files and system before deploying a LockBit attack onto the affected computer.

“This was a very messy attack,” said Andrew Brandt, principal security researcher at Sophos. “Working together with the target, Sophos researchers were able to build a picture that started with what appears to be novice attackers breaking into the server, poking around the network and using the compromised server to Google a combination of pirated and free versions of hacker and legitimate admin tools to use in their attack.”

How a government computer was infiltrated

Over a period of nearly half a year, hackers prodded through the target network, then used the Google Chrome browser to find and install hacking tools onto the affected server. From there, a number of different pieces of hacking equipment, such as password brute-forcers and crypto miners were installed on the computer, along with custom scripts and configuration files for ransomware that were later found to be in the targeted system.

The unskilled but effective attack then attempted to employ IT management software to avoid detection, through use of tools such as ScreenConnect and AnyDesk, typically used for remote access purposes. It was later discovered by Sophos that in the setup of the system itself, the IT team left open RDP ports on a firewall for public access to the server, allowing for the infiltration by the hacking group in question.

SEE: Mobile device security policy (TechRepublic Premium)

Once remote access was enabled, the LockBit ransomware was then deployed on the system by taking advantage of the system vulnerability. The malicious parties attempted to cover their tracks once finished by deleting log files, but Sophos was able to reconstruct the steps taken for the hack to take place, as it was suspected to have been perpetrated by unsophisticated cyberattackers.

“This case is a compelling reminder that while stories about APT’s and zero-day attacks dominate the news, many cyberattacks come from relatively unsophisticated individuals taking advantage of simple errors or easily avoided misconfigurations,” said Chris Clements, VP of Solutions Architecture at Cerberus Sentinel. “In this case, there were many failures by the organization that were the equivalent of rolling out the red carpet to the attackers. Leaving RDP access open to the internet is extremely risky. Automated bots routinely scan the entire internet for open RDP servers to brute force with common accounts and passwords. In this situation the attackers lucked into guessing credentials for an account that was not only an administrator on the exposed system, but also had administrator rights to the entire network. This would have been an immediate game over situation for any experienced attacker, but the initial attacker here appears to have been extremely inexperienced.”

Staying protected from cyberattacks

The one silver lining in this situation was that the attackers seemed inexperienced and not sure what to do after gaining access to the government network. In many cases, affected organizations are not so lucky to be able to reconstruct the timeline and method of attack. Brandt recommends that businesses take an around the clock approach to cybersecurity, along with making determinations on how and why software is downloaded to devices on the network.

“A robust, proactive, 24/7 defense-in-depth approach will help to prevent such an attack from taking hold and unfolding,” he said. “The most important first step is to try to prevent attackers from gaining access to a network in the first place, for example by implementing multi-factor authentication and setting firewall rules to block remote access to RDP ports in the absence of a VPN connection. If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of [unrecognized] tools on machines on your network is a red flag for an ongoing or imminent attack.”

This type of attack is also a lesson in taking extra precautions when it comes to network setup and ensuring any potential routes of attack are shut down through constant monitoring by the IT team. If ransomware can find a way into and infect a federal network, it is critical that organizations without government-level cybersecurity take time to make sure virtual safeguards are in place in case of attack.