Cyber criminals are notoriously relentless and unforgiving in their quest to exploit vulnerabilities through ever-evolving tactics. Organisations may believe that their security frameworks are robust, but when confronted with unprecedented attack methods, nobody is entirely immune to infiltration.
Earlier this year, a multinational agriculture company learnt this the hard way when they fell victim to a novel technique called privilege escalation. S-RM’s Incident Response team was called in and quickly identified Akira as the ransomware group behind the breach. Since this technique was new and unknown, traditional security measures were rendered ineffective, allowing the attackers ample time to infiltrate systems, exfiltrate data, and inflict damage.
Who are Akira?
Since emerging onto the cyber scene in March last year, Akira has honed its sights on small-to medium-sized organisations across North America, Europe, and Australia. The group’s Tactics, Techniques and Procedures (TTPs) typically involve infiltrating target organisations via their VPNs, either by exploiting compromised credentials or vulnerabilities within the VPN software.
Laying the foundations for privilege escalation
As is often the case when Akira is involved, the initial breach was traced to vulnerabilities within the company’s VPN software. In this case, the initial intrusion was traced to an unpatched single-factor VPN appliance, which handed attackers access to the company’s network and laid the foundations for a full blown attack.
Once connected to the network via the VPN, Akira leveraged a remote code execution vulnerability in the VMware vCenter server, allowing the unauthenticated attackers to upload a web shell to the vulnerable endpoint. Subsequently, the threat actor could implant a reverse shell and had gained remote access to the vCenter server.
Having accessed the company’s vCenter, the attackers created a new virtual machine on a VMware ESXi hypervisor. This machine gave Akira free rein to conduct their operations undetected, evading conventional Endpoint Detection and Response tools.
Privilege escalation and gaining full control
Not satisfied with acquiring local administrator privileges for the newly spawned VM, Akira sought elevated access for lateral movement across the target domain. Their approach involved extracting credentials from the NTDS.dit file, the Active Directory database that resides on each domain controller and stores user account data, including password hashes. This database is robustly protected, through both system protections and encryption using a key stored in the SYSTEM registry hive. Attackers generally require elevated privileges in order to dump hashes from the NTDS.dit file.
Akira bypassed the VMKD file’s protections using a novel series of steps. Initially, the threat actor temporarily powered down the domain controller’s virtual machine and then copied the associated VMDK files to a separate directory. Then, they attached these copied virtual hard drives to the newly created VM, allowing them to proceed with their attack.
Akira was able to copy and compress the NTDS.dit file using the 7-zip and exfiltrate the SYSTEM hive. Now armed with the decryption key for the password hashes, Akira would have been able to crack the hashes or utilise ‘pass-the-hash’ methods for user authentication. By following this novel formula to extract the NTDS.dit file, Akira was able to compromise a highly privileged domain administrator’s account.
With elevated privileges attained, Akira navigated swiftly across the network, compromising additional user accounts, withdrawing data and deploying ransomware – all in under six hours.
Exploiting privilege escalation for ransomware deployment
Akira was able to deploy ransomware in two ways: via network shares and remote backup services. Specifically, the threat actor leveraged the legitimate Veritas Backup Exec Client process ‘beremote.exe’ to deploy a randomly generated 8-character ransomware binary to servers where the backup software was present. Exploiting backup shares to deploy ransomware is a rarity as cyber criminals often aim to destroy it to render recovery efforts ineffective. However, as this backup service was already a part of the organisation’s ecosystem, it likely served as a means to bypass security defences.
Lessons learned
Akira’s exploits serve as stark reminder for all that attackers are constantly looking for vulnerabilities and will punish existing weaknesses in a ruthless manor. Cyber criminals excel in innovation and adaptability. If cracks exist, you can be sure they’ll find a way through.
Taking a proactive approach is the best way to build a robust defence system. Organisations need to maintain updated security, both for the external perimeter and the in-network devices. Regular security updates and a robust patch management system are good practice staying one step ahead of cyber criminals. This not only helps to stop quick lateral movements across the network but also gives extra time to respond effectively to threats.
Other measures, like multi-factor authentication, a consistent patching policy, and regular security assessments, can also go a long way to reduce the risk of falling victim to ransomware attacks like those carried out by Akira at the beginning of the year.
Above all else, this attack is evidence that companies are locked in a constant battle to keep attackers at bay. Cyber-criminals aren’t about let up in their efforts to take advantage of any weakness. Fending them off is a question of matching their efforts and more when it comes to regularly strengthening your defence framework.
By Jamie Smith, Global Head of Cyber Security Services at S-RM