Luis Corrons, technical director of PandaLabs, Panda Security
Luis Corrons, technical director of PandaLabs, Panda Security

The attacks that companies are facing today are increasingly complex, sophisticated, and customised.

The number of attacks directed at corporations will increase, as these attacks become more and more advanced. Companies are already the prime target of cyber-criminals, as their information is more valuable than that of private users and can be used as leverage or to make a profit on the black market.

Big companies from strategic sectors are not the only ones that should be paying attention. Small and medium-sized enterprises are also turning out to be victims of advanced cyber-attacks.

This example concerns an attack that took place in February 2017 in which the victim was a medium-sized company that, despite having offices in ten countries across Europe and America, only has a few hundred computers — including servers. Like any company, it has plenty of information in its possession (data from clients, suppliers, etc) valuable to the organisation. But it does not belong to a strategically important sector nor does it have state secrets that might make it the target of government-sponsored attacks. In the end, it's just another company.

Nonetheless, we're dealing with a targeted attack. This is not because the tools used to carry it out were specific to this kind of attack — although this is also true — but rather because the attacker adapts to the different security measures that he finds as he goes, acting in real time while infiltrating the victim's network.

The company in question had recently acquired an intelligent cyber security plantform and was in the middle of rolling it out onto their network when attempted attacks were detected by the computers that already had a solution installed. The most unusual thing about this case is the coincidental timing of it — as the network administrators were implementing the solution, the attackers were already inside the network. Because of this, the entrance vector was missed, but we did have the “good fortune” that one of the first machines to have the system installed was already completely under attacker control. We were therefore able to witness their actions in real time as they prepared to launch their attack against the rest of the corporate network.

Preparation of the attack

The attacker on this particular computer logged in with the credentials of one of the domain users. Afterward, he copied the CSVDE program into the system and then ran it. CSVDE is a tool developed by Microsoft, and in this case was employed (on the basis of the parameters used by the attacker) to compile a list of all the devices connected to the victim's network.

Next, he copied and ran a customised version (7cfdf218e3ccbf23ee1ee3effeb29604) of Mimikatz, a well-known tool that allows users to gather credentials in order to, for example, use them in attacks such as pass the hash and make lateral movements within a network.

Finally, he used a Microsoft tool called net user to obtain a list of all users in the domain. Although these actions could very well have been automated, we know that this was not the case because at some point the attacker made an error while typing out a command and had to correct the operation.

Over the course of the next two days, the attacker laid low and carried out no further actions, at least on the computers where the cyber security solution was present. Later, we discovered that during those 48 hours, he had been preparing the tools that he would use for the final attack.

Returning, he reconnected to the initial computer with the same username. He used a file containing a list of every network computer, and launched a tool (c1c9193b576344e0820131049b39fbd8), which allowed him to see the computers he had access to. Basically, it passes the list to this program as a parameter which generates an output with two files: alive.txt and unreach.txt. The compilation of the tool dates to only a few weeks prior to the attack, leading us to believe that it was created specifically for this attack.

The first hacking tool copied and ran yet another tool (eaaaab1f725c147364a98dd3b110ce1cip) which attempted to copy a file to each of the other computers on the network. Should it succeed, it would then add the device name to the alive.txt file. The user credentials the hacker had purloined didn't have high enough permissions, so the operation was repeated this time with network admin logins, and the application relaunched. This time, he succeeded, since the admin is authorised to copy files to all devices in the network. Like the previous tool used, the second tools creation date was just a few weeks before the attack.

Finally, the attacker tried out the Microsoft tool called psexec, which allows the user to remotely run files. With this, everything is in place to copy and run any file on any computer in the network.

The final attack

Note: All binaries used in this phase of the attack were compiled just two days prior to the attack.

The following day, the hacker connected again and copied an updated version (3713d488a5720f03ecd6d4ed22327dad) of the file-copying tool to the network devices.  The way it works is the same, but in this updated version also displays progress information on screen. He ran it using the domain administrator's credentials, and the file copied to all devices was specifically created for this attack (AA1B645E51E0D1DCFAC0A46FE081D3D8). Its purpose is to delete any backups that might exist on any of the devices.

Lastly, having laid all the groundwork for the attacked the hacker copied the malware coup-de-gras, a ransomware (133ED82A35C6AC0203932BE29C0A1990). Developed using .NET, it works just like any other attack of this kind, encrypting all kinds of documents and self-deleting having finished the task. One of the parameters it receives is the public key that it uses in conjunction with the private key to encrypt the files with the AES algorithm.

Conclusion: cyber-attacks are now “made to order”

We're dealing with a customised attack whose aim is to hijack all of the information stored on company workstations and servers. In other words, hijack the company, leaving it completely paralysed. If there are companies willing to pay hundreds of dollars to recover the information of a single computer, we can get an idea of ​​how high the ransom can end up being when the whole company has been hijacked. We're talking of sums in the tens of thousands, at least.

In this particular case, the attackers were unable to complete their objective, since the computers were protected and could not be infected and their data was safe.

In this proverbial war where cyber-criminals are continually after financial gain from anybody, we are seeing a rise in hacker special forces that target companies. Their attacks are specifically tailored to their target, studying the victim and adapting to the infrastructure and defenses they encounter on the way. Until very recently this type of attack was only seen being carried out against large companies and belonged to strategic sectors, or those in which they could scoop the highest profits.

Today, such attacks are becoming popular, and while large companies are better prepared to deal with these threats, few SMEs are aware of the risks they face.

It is our responsibility as security companies to publicise the attacks we witness and build awareness so that those in charge of SMEs can take appropriate action before it is too late.

Contributed by Luis Corrons, technical director of PandaLabs, Panda Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.