Illusive Blog April 9, 2019

LockerGoga Attack Underscore The Need for Cyber Hygiene

By Jason Silberman

Spring is here, and with it comes news of a new and vicious ransomware attack, known as LockerGoga.

Since the start of 2019, numerous industrial companies have been hit, including French engineering consulting firm Altran, Norwegian aluminum manufacturer Norsk Hydro, and others. In the case of Norsk Hydro, damages are estimated at up to $40 million.

Ransomware meets APT

Andy Greenberg’s Wired article shares the nasty details. After finding a way in, LockerGoga uses Metasploit, Mimikatz, Cobalt Strike and other common exploit tools to move laterally, escalating privileges until attackers acquire domain admin credentials. From there, they leverage Active Directory to plant a ransomware payload on targeted machines.

LockerGoga is an example of the convergence of more opportunistic, broadcast-style cybercrime and the targeted, strategic efforts of nation-state attackers:

They know the strategic value specific data can have. The attackers appear to have targeted the machines of specific users and functions, enabling them to extort hundreds of thousands of dollars per machine, making previous ransoms look like pocket change.

They might be leveraging the broader cybercrime economy. It’s not clear how they’re making initial entry, but the Wired article speculates that they may be using credentials purchased on the dark web. Why bother with a trial-and-error phishing attack if a small upfront investment will get you in quickly and silently?

Lateral movement is a significant part of this ransomware campaign. Jai Vijayan’s article in Dark Reading describes key attributes of the attack once target systems are reached. But leading up to that point, attackers apparently spend significant efforts to harvest credentials and escalate privileges in order to position their endpoint executables.

Active Directory (AD) played a pivotal role in the endpoint targeting process. It’s another example of how AD can be used in “creative” ways as part of the attack process.

LockerGoga implements sophisticated methods to bypass traditional detection controls. For example, some variants of their code are signed with stolen credentials, and a utility is executed that disables antivirus software.

Stop targeted ransomware by preventing lateral movement

The more the line blurs between criminal and nation-state methods, the more urgent it is to do what it takes to stop or stall lateral movement to prevent attackers from ever reaching targeted systems.

Excess credentials and connections create major network vulnerability. Leveraging credentials on an endpoint is nothing new, of course. While the scope of damage caused by these attacks is massive, the description of the underlying lateral movement tactics that attackers have been using in the LockerGoga attacks are familiar.

It begins with an attacker harvesting credentials in order to breach the network and land on a particular endpoint, and then moving from there to other machines by exploiting additional credentials and connections. Attackers can move easily and silently from one system to another, change domain attributes, add permissions, change passwords, and connect to any machine in the domain, all the while making their way toward an organization’s critical business assets, from where they can do the most damage.

If they are able to simply access the credentials and connections on each endpoint, it’s very difficult for security analysts to differentiate that behavior from normal behavior.

Locating, identifying, and reducing what isn’t needed

So how can security teams prevent against these attacks? While early detection is always needed, preempting an attacker by hardening your network now and disarming them is a highly strategic and needed component of this fight. Connectivity is necessary, but in every network there is more than there should be. How many machines contain cached domain admin credentials? Do you have visibility into where there remain Improperly disconnected RDP sessions that provide high-level access?

Every organization, even those with the best security teams and security controls, have some hidden, vulnerable credentials in their environment. The need to identify and eliminate excess and unnecessary—but very risky—credentials and Active Directory privileges is of utmost importance.

So now that Spring has arrived—along with LockerGoga—some cyber cleaning is in order. For a limited time, Illusive is offering Attack Surface Manager as a special ASM Spotlight offer, Organizations of any size or budget can stand it up in hours to gain immediate visibility into hidden high-privilege credentials, credential policy violations, and high-risk connectivity to “crown jewels.”

The ASM Spotlight Solution is a low-cost, turn-key starter package, including installation, tuning, and consultation with Illusive attack researchers.