Unmonitored Ghost account allowed Netfilim hackers to siphon off 1 month of data

[German]When it comes to computer security, the devil is often in the details. A deceased employee whose account still existed and was not monitored enabled a ransomware group to siphon off data from a system undetected for a month. But also involved were Cisco products with serious vulnerabilities that allowed the Netfilim group's attackers to access the Active Directory structures of the corporate network via an administrator account.


The manufacturer of security solutions, the company Sophos recently published this case, as an object lesson in what can go wrong. I came across it via the following tweet from Threadpost, who compiled the case in this article. For the cybercriminals, the ghost account was something of a jackpot. 


Sophos published the analysis on January 26, 2021 in the post Nefilim Ransomware Attack Uses "Ghost" Credentials. A victim had contacted Sophos's rapid response team because more than 100 of his systems had been encrypted by a Netfilim ransomware attack. The Netfilim group's tactic is to rip off as many of the victim's files as possible before encrypting them, in order to blackmail them with a release if they don't pay up.

The Nefilim ransomware attack at issue, with more than 100 systems affected, stemmed from the compromise of an unmonitored account belonging to an employee who died three months earlier, security researchers said. But the analysis reads as a chain of security problems at the victim's end.

Citrix vulnerabilities as a point of entry

Sophos researcher Michael Heller, reported that this victim was compromised via exploited, serious vulnerabilities in Citrix software. Sophos forensic analysis revealed that Citrix Storefront 7.15 CU3 installed at the company was vulnerable to one known critical security flaw (CVE-2019-11634) and four high-severity issues (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283) at the time of the incident. Storefront is an enterprise app store where employees can download approved apps.


Ghost account for 1st entry

The team believes this was almost certainly the original entry point into the victim's network. The cybercriminals gained access to an administrator account through the deceased employee's unmonitored but unused account. After successfully penetrating through the Citrix installation, they also used Remote Desktop Protocol (RDP) logins to maintain remote access to the original administrator account used for the attack.

Mimikatz to access the "DC" as a jackpot

For lateral movement in the corporate network, the attackers used Mimikatz. With this tool, they were able to list and view the credentials stored on the system. They then managed to compromise a domain administrator account. This hit the jackpot, because a domain administrator can edit information in a Windows Active Directory and change the configuration of Active Directory servers (e.g., create new users or change permissions). 

The rapid response investigation discovered PowerShell commands, and forensic investigators determined that the Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) through the compromised domain administrator account. Further, RDP and Cobalt Strike were used to move laterally to multiple hosts, exploring the network, the analysis said. The hackers then installed the file transfer and synchronization application MEGA to siphon data.

In total, the Nefilim operators were on the victim's network for about a month, often carrying out their activities in the middle of the night to avoid detection. The action only became known because the Netfilim cyber criminals finally launched the ransomware itself to encrypt the files on those systems.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *