Kevin Beaumont, who followed the whole episode of infection and also looked carefully at the company's response, said in a detailed blog post that his speculation about the route into the Norsk Hydro system was backed up by an assessment by the NorCERT, the computer emergency response team in Norway.
For this, the attackers needed remote access, and how they gained this was a puzzle that Beaumont said the company could help solve by releasing some of the incident response information later as it would help protect other companies from a similar intrusion.
Beaumont noted that a few weeks before the Hydro calamity, he had pointed out that despite a LockerGoga attack on a French firm,. Altran in January, most endpoint security anti-malware solutions could not detect this strain.
Norsk Hydro announced on Wednesday that it had been hit by the Windows ransomware late on Monday evening. The company provided a steady stream of information about what had happened and held regular media briefings about its progress in sorting things out.
On Thursday, the firm said it had called in experts from Microsoft and other security partners to help get business critical systems back to normal.
Nice find, fully undetected on VirusTotal ransomware. Digitally signed. https://t.co/qLWBvfi8yH— Kevin Beaumont ??♀️ (@GossiTheDog) March 8, 2019
Beaumnont said once inside the Hydro network, the attackers must have had Domain Admin rights to carry out their plan.
"Usually in companies it is extremely easy to get this access, despite the industry hard selling a range of privileged access management tools, by simply:
- "fishing logins out of memory using Mimikatz
- "taking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML files. It’s the go to, bread and butter of ‘Red Teams’.
- "Pass The Hash attacks and surf around the entire network using the same local administrator passwords because almost nobody deploys Microsoft Local Administrator Password Solution."
Once an attacker had become an Active Directory administrator, it was possible to place the ransomware executable in a place where every system in an organisation could reach. Under normal circumstances, a firm's firewall universally accepts Active Directory traffic internally.
"Bingo, you have the keys to the kingdom – the only thing stopping you now is security controls around endpoint malware, and as we already established those won’t detect LockerGoga at the time of the attack," Beaumont said.
Detailing the impact of LockerGoga, he said:
- "It ends up using every CPU core and thread during encryption and is very, very fast. This is because it spawns hundreds of executables for encryption. Within a few minutes, an average system is toast.
- "Additionally, some technical blogs mention a list of file types that are encrypted which only includes things like Office files — I can say first-hand that it also encrypts system files such as .DLL files. across the C: drive. Since it is deployed as administrator level using Active Directory, it has full control of all files.
- "It depends on the version being run (on VirusTotal you can see different LockerGoga executables with different features) but newer versions use netsh.exe to disable all network cards after encryption is done.
- "It then changes every local administrator account password.
- "It then logs you off, using logoff.exe."
Beaumont was full of praise for the way Norsk Hydro had managed the incident. "Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena,." he said.
"It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too – people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control."