Skip to main content

Recently, a company in northern Italy was victim of a serious cyber attack that resulted in the compromise of its infrastructure and the interruption of operations. 

The perpetrators of the malicious attack gained unauthorized access to the infrastructure through a VPN connection and distributed ransomware, encrypting several servers.

The attack: Ransomware as a Service

The attack on its Data Leak Site (DLS) was claimed by the cyber-criminal gang LockBit, which uses the Ransomware as a Service (RaaS) model.

Ransomware is a type of malware that is inoculated within an organization in order to encrypt data and make systems unavailable. Once the data has been encrypted, the criminals ask the victim to pay a ransom, to be paid in cryptocurrency, to decrypt the data. If the victim does not want to pay the ransom, the criminals will proceed with double extortion, i.e. the threat of publishing sensitive data previously exfiltrated from the victim’s IT infrastructure.

LockBit’s Ransomware as a Service is used for highly targeted attacks against specific companies and other organizations. LockBit’s ‘affiliates’ deposit money for the use of customized attacks for hire and profit from an affiliation framework. The ransom payments are divided between the LockBit developer team and the affiliate attackers, who receive up to ¾ of the ransom funds.

It is considered by many authorities to be part of the ‘LockerGoga & MegaCortex’ malware family. This simply means that it shares behavior with these established forms of targeted ransomware and has the power to self-propagate once executed within a computer network.

L’Incident Response

Cyberoo’s Incident Response Team was tasked to conduct an in-depth investigation of the incident and to provide useful recommendations to prevent a recurrence of similar attacks. The main objective of the investigation was to determine the tactics, techniques, and procedures (TTPs) used by the attackers, as well as to reconstruct how and when they gained access to the network.

As much as this method of access by the attacker may at first seem simple and, if you like, even trivial, the analysis by Cyberoo’s Incident Response Team revealed something unexpected during the investigation.

Analysis

From the analysis conducted by Cyberoo, it was observed that the attacker did not carry out any kind of attack on the exposed VPN system. In fact, the attacker managed to enter the VPN with a valid username. However, the attacker was not even in possession of a valid username; he simply managed to log in with an existing username, but without knowing the password.

Cyberoo has, in fact, discovered a vulnerability scenario not due to the specific VPN connector appliance, or the credential management system (Domain Controller), but from a configuration of both systems that, put together, generated a vulnerability that otherwise, individually, they would not have had. These were Cisco and Microsoft systems.

The configuration implemented on the VPN appliance, together with that in the Domain Controller, meant that by using a present user and literally any possible password, the user could gain access. For this, the attacker used a non-nominal user present on most systems and, simply by entering an initial test password, gained full access to the system.


Violazione VPN



Response

The CYBEROO team then secured the entire infrastructure, promptly restoring the company’s security posture and resolving the vulnerability.

Below is an excerpt of the VPN connector configuration for access to the Domain Controller:

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool VPN02
authentication-server-group AD

aaa-server AD protocol ldap
aaa-server AD (vlan202) host 192.168.1.2
ldap-base-dn DC= client,DC=local
ldap-scope subtree
ldap-login-password *****

ldap-login-dn CN=asa,OU=Service Users,OU= client,DC= client,DC=local

server-type Microsoft