Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

9:55am, 16 June 2020

TLP Rating: White

What's happening

Systems affected

Attackers access an organisation's network though vulnerable remote access technologies. This could be by:

  • unpatched software,
  • weak authentication, or
  • lack of multi-factor authentication (MFA).

From there, any system on the network may be affected. Citrix remote access technologies have been reported as a common way for attackers to gain access.

What this means

Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.

The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information they want they attempt to sell or publicly release the information.

Due to the level of access gained before deploying ransomware, simply restoring data from backup won’t resolve the issue. Remediation will require in-depth investigation of all compromised or potentially compromised systems to fully eradicate the attacker, and to identify the security improvements necessary to prevent another attack.

What to look for

How to tell if you're at risk

Any network that has does not have appropriately secure remote access is at risk. 

How to tell if you're affected

Check your remote access systems for any sign of unauthorised access. If any unauthorised access is detected, further investigation will be required to determine any lateral movement across the network.

If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):

  • files with a .NEFILIM extension
  • a file called NEFILIM-DECRYPT.txt may be placed on affected systems
  • batch files created in C:\Windows\Temp

The following public reporting includes IOCs specific to Nefilim ransomware:

What to do

Prevention

Ensure that all remote access systems are:

  • up-to-date with security patches
  • strictly enforcing strong authentication (strong passwords and MFA).

Mitigation

CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack.

Network segmentation

Application whitelisting

More information

Advisory: exploitation of Citrix remote access systems

CERT NZ critical controls

If you require more information or further support, submit a report on our website.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.