Home Security Norwegian firm attack likely through Microsoft Active Directory: claim
Norwegian firm attack likely through Microsoft Active Directory: claim Pixabay Featured

The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

Kevin Beaumont, who followed the whole episode of infection and also looked carefully at the company's response, said in a detailed blog post that his speculation about the route into the Norsk Hydro system was backed up by an assessment by the NorCERT, the computer emergency response team in Norway.

For this, the attackers needed remote access, and how they gained this was a puzzle that Beaumont said the company could help solve by releasing some of the incident response information later as it would help protect other companies from a similar intrusion.

Beaumont noted that a few weeks before the Hydro calamity, he had pointed out that despite a LockerGoga attack on a French firm,. Altran in January, most endpoint security anti-malware solutions could not detect this strain.

"I actually detonated the ransomware myself on several real world endpoints (in isolated fashion — as you’ll learn later it doesn’t self-replicate too) and I couldn’t find an endpoint security tool which actually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic Ransomware)," he wrote.

Norsk Hydro announced on Wednesday that it had been hit by the Windows ransomware late on Monday evening. The company provided a steady stream of information about what had happened and held regular media briefings about its progress in sorting things out.

On Thursday, the firm said it had called in experts from Microsoft and other security partners to help get business critical systems back to normal.

Beaumnont said once inside the Hydro network, the attackers must have had Domain Admin rights to carry out their plan.

"Usually in companies it is extremely easy to get this access, despite the industry hard selling a range of privileged access management tools, by simply:

  • "fishing logins out of memory using Mimikatz
  • "taking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML files. It’s the go to, bread and butter of ‘Red Teams’.
  • "Pass The Hash attacks and surf around the entire network using the same local administrator passwords because almost nobody deploys Microsoft Local Administrator Password Solution."

Once an attacker had become an Active Directory administrator, it was possible to place the ransomware executable in a place where every system in an organisation could reach. Under normal circumstances, a firm's firewall universally accepts Active Directory traffic internally.

"Bingo, you have the keys to the kingdom  –  the only thing stopping you now is security controls around endpoint malware, and as we already established those won’t detect LockerGoga at the time of the attack," Beaumont said.

Detailing the impact of LockerGoga, he said:

  • "It ends up using every CPU core and thread during encryption and is very, very fast. This is because it spawns hundreds of executables for encryption. Within a few minutes, an average system is toast.
  • "Additionally, some technical blogs mention a list of file types that are encrypted which only includes things like Office files — I can say first-hand that it also encrypts system files such as .DLL files. across the C: drive. Since it is deployed as administrator level using Active Directory, it has full control of all files.
  • "It depends on the version being run (on VirusTotal you can see different LockerGoga executables with different features) but newer versions use netsh.exe to disable all network cards after encryption is done.
  • "It then changes every local administrator account password.
  • "It then logs you off, using logoff.exe."

Beaumont was full of praise for the way Norsk Hydro had managed the incident. "Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena,." he said.

"It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too  –  people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control."

FREE SEMINAR

Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!

REGISTER HERE!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Guest Opinion

 

Sponsored News

 

 

 

 

Connect