True North Networks Blog
How one hacked laptop led to an entire network being compromised
A corporate laptop being used in a coffee shop at a weekend was enough to allow a sophisticated cybercrime group to compromise an organisation's entire infrastructure.
The incident was detailed by cybersecurity firm Crowdstrike as part of its Cyber Intrusion Services Casebook 2018 report and serves as a reminder that laptops and other devices that are secure while running inside the network of an organisation can be left exposed when outside company walls.
Crowdstrike described the company that fell victim to the hackers only as apparel manufacturer "with an extensive global presence, including retail locations".
The incident began when an employee of the manufacturer took their laptop to a coffee shop and used it to visit the website of one of the firm's partners.
The security researchers said the user visited the site after being directed there by a phishing email -- and that the site had been compromised by FakeUpdates, a malware and social engineering campaign affecting thousands of Joomla and Wordpress sites.
The malware shows users pop-ups which claim their browser software needs updating. In this instance, the laptop was then infected with the Dridex banking trojan and the PowerShell Empire post-exploit toolset.
The security software being used by the clothing company -- Crowdstrike didn't name the vendor -- relied on devices being inside the corporate network to pick up threats. As the laptop was being used outside the network, this incident didn't become apparent until the laptop was back in the office -- by which time it was too late.
The infected laptop then served as an entry point for the attackers to compromise the corporate network, allowing the attackers to use PowerShell exploit to access dozens of systems that could be compromised by taking advantage of the user's permissions.
The attackers were also able to gather additional privileged account credentials by using Mimikatz, an open-source utility used to retrieve clear text credentials and hashes from memory, to gain access to servers and further move across the network.
"Local administrator privileges made it easier for the threat actor to access a multitude of endpoints by accessing just one account that linked them all. Once access to the domain was gained, it left the organization completely exposed," Bryan York, director of professional services at Crowdstrike told ZDNet.
This exposure allowed the attackers to install Framework POS malware on the retail store server with the intention of stealing credit card data.
Researchers have identified a cyber criminal group they call Indrik Spider as the culprits of the attack. The hacking operation has been active since 2014 and is heavily associated with Dridex and BitPaymer ransomware campaigns, which are thought to have netted the attackers millions of dollars.
It's the first time Indrik Spider has been associated with FakeUpdates, indicating that the group is expanding its operations as it continues to find new means of illicitly making money. Crowdstrike wouldn't say whether the campaign was successful in its goal or if credit card data was stolen from the company -- but there are lessons that organisations should take on board to avoid falling victim to similar campaigns.
Crowdstrike recommends that accounts should be segregated, and that end users shouldn't be given administrator privileges on their local systems. In this incident, the adversary abused a misconfiguration within the company's Active Directory that provided unnecessary privileges -- so the security firm recommends that organisations should regularly review Active Directory configurations across the entire global enterprise.
"Attackers used PowerShell or Windows Management Instrumentation in 20 percent of the cases we saw this year and businesses need to know how to better detect and protect against these," said York.