Remote management and monitoring (RMM) and other remote access solutions are fantastic for enabling remote support of environments. Like most things in life though the intent of the user changes the tool from a force for good to a weapon of evil (I hate the use of the word weapon with software but it’s a blog so I’ll self-cringe).
Kill Chain Summary
The kill chain in the attack outlind by sophos isn’t one that you will be suprised at:
- Initial access was via a known software vulnerability (unpatched Exchange server)
- The attackers dropped a web shell
- The attackers had SYSTEM level access
- The attackers dumped memory to obtain hashes
- The hashes were cracked (they escalated to domain admin)
- 7 (yes seven!) backdoors were implaneted into the target network (hence this blog post)
- Lateral movement was made to domain controllers
- Large volumes of data were exfiltrated
- The rest of the environment was then pwn3d
What might shock you more is the speed at which this was conducted. It’s not months or weeks, it’s hours and days (see the Sophos blog for more details!)
Conti Actors Remote Access Toolkits
Remote access tools being abused isn’t a new thing but following a great writeup (https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/?cmp=30728) of a Conti kill chain from Sophos Labs I figured I’d try and raise more awareness of some of the threats that organisations face, and the reality that defending against all threats is actually quite difficult for a lot of organisations (hell it’s technically not simply for anyone!)
Now, is anyone noticing a theme here?
All of these can be used with trials for 30 days. Now I purchase software and having access to trials is key for me to be able to evaluate and test products, but as with many things in life, there are upsides and downsides.
Before everyone grabs pitchforks and demands action, let’s be real here. These aren’t the only methods. The threat actors were using a C2 (in this instance Cobalt Strike), they had SYSTEM/Administrator access to an exchange server, they could have deployed basically any remote access/management technology.
If it wasn’t the list above it could have been a range of products:
or simple a reverse shell using oh so many techniques from built in OS functionality such as Remote Desktop Protocol, SSH, TELNET or another BIND or reverse shell method.
The long and short of all of this isn’t about remote access trials, it’s about the reality that to defend a network you need to know the network. You also need to have as a rule of thumb significantly more knowledge and apply far greater effort than if you were to click next, next, finish.
Most organisations networks are deployed with a “do faster” and “be cheaper” approach. Whilst in business there’s obviously a requirement for cost management, if we continue to force everything down to the lowest common denominator, do we really expect the cyber risks we face to decrease?
Securing a business technology environment has a reality point where the devil is in the detail. With regard to Proxyshell there is a vendor patch, this was after however a 0-day exploit was leveraged to via ProxyLogon, so whilst it’s easy for a security professional to cry “just patch”, the realities of manging business cyber risk are far more complex. Getting the foundations right, investing in operational capabilities and paying attention don’t sound sexy, but they do generally keep you much safer from ransomware actors!