9:55am, 16 June 2020
TLP Rating:
Active ransomware campaign leveraging remote access technologies
We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.
The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup.
What's happening
Systems affected
Attackers access an organisation's network though vulnerable remote access technologies. This could be by:
- unpatched software,
- weak authentication, or
- lack of multi-factor authentication (MFA).
From there, any system on the network may be affected. Citrix remote access technologies have been reported as a common way for attackers to gain access.
What this means
Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.
The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information they want they attempt to sell or publicly release the information.
Due to the level of access gained before deploying ransomware, simply restoring data from backup won’t resolve the issue. Remediation will require in-depth investigation of all compromised or potentially compromised systems to fully eradicate the attacker, and to identify the security improvements necessary to prevent another attack.
What to look for
How to tell if you're at risk
Any network that has does not have appropriately secure remote access is at risk.
How to tell if you're affected
Check your remote access systems for any sign of unauthorised access. If any unauthorised access is detected, further investigation will be required to determine any lateral movement across the network.
If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):
- files with a .NEFILIM extension
- a file called NEFILIM-DECRYPT.txt may be placed on affected systems
- batch files created in C:\Windows\Temp
The following public reporting includes IOCs specific to Nefilim ransomware:
What to do
Prevention
Ensure that all remote access systems are:
- up-to-date with security patches
- strictly enforcing strong authentication (strong passwords and MFA).
Mitigation
CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack.
More information
Advisory: exploitation of Citrix remote access systems
If you require more information or further support, submit a report on our website.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.