Configuration of IT-Security solutions matter – and sometimes a single parameter can cause big trouble
Sometimes supposedly small things make a huge difference. This can also be true in cyber security configurations. In recent weeks, multiple partners described very similar cyber attacks their customers faced, and in some cases, the criminals were unfortunately even successful in compromising customer networks. Specifically speaking, cyber criminals first exfiltrated and then encrypted data with Akira ransomware. Akira ransomware is already out in the wild since march 2023 and many companies fell victim (Cisa has published a very detailled description and also many helpful recommendations in this advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a )
Let me share a real example of a WatchGuard customer with Firebox, AuthPoint and EPDR in place that was hit by this type of attack. From a technology perspective, this seems to be the combination of solutions that makes it really tough for cyber criminals. Nevertheless, they became a victim, data was stolen, and Akira ransomware was used to encrypt data.
So what did happen?
Criminals gained access to their network using stolen or brute-forced credentials for a single user to log in via VPN. Wait a second…don’t they use WatchGuard AuthPoint? They do, but unfortunately, a legacy configuration on their Firebox was in place that allowed logins with the local Firebox-DB users as well. Even though AuthPoint was configured and used since a while already, the option to use Firebox-DB users was still enabled in Firebox configuration. Attackers used stolen or compromised credentials and logged in using Firebox-DB, bypassing MFA that would have protected the WatchGuard AuthPoint users.
As soon as the criminals had VPN access, they started scanning the network and initiated brute-force attempts, trying to remotely log in to servers and clients discovered in the scans. After about 4 days, they were successful and logged in on 2 different server systems reachable from the VPN. On these servers, they could steal credentials for a few AD Domain accounts (some even with administrative privileges) and use these accounts to carry on living off the land attacks. Tools like Advanced Port Scanner and netstat were used to scan the network for possible additional target servers and clients. By using these legitimate tools to learn more about the network they tried to hide their activities to remain undetected.
Most of the endpoints were well protected by WatchGuard EPDR. Even though the attackers could access and log in on some of them they could not install or run ransomware and steal data immediately. Unfortunately one of the systems the criminals compromised was not protected by WatchGuard EPDR so that they could easily use this server to start harmful actions.
- They collected files remotely from other systems via Windows network file sharing over SMB.
- They compressed the files with the legitimate tool WinRAR
- They uploaded the archives to fastupload.io, a free and legitimate file-sharing service that can be used without account creation.
- They ran the ransomware akira.exe on the unprotected system and encrypt files remotely via windows file sharing. As one of the stolen accounts in first phase of the attack was an administrator this was an easy task.
The customer discovered the attack when the encryption was already finished and the ransom payment demanded. So it was already too late to stop the attack. Fortunately the customer had a clean and consistent backup of all critical files and data. So they decided to start with a clean implementation and to restore backups. For sure they validated by forensic analysis and deeper investigation that the backup is actually clean.
What lessons can we learn from this example?
Even a single parameter in a perimeter firewall solution that is not configured idealy can open an attack vector for cyber criminals. In the specific example the option Firebox-DB was not disabled even though AuthPoint was configured and used already. This allowed attackers to bypass MFA with stolen or compromised credentials. I highly recommend to enable MFA (e.g. with WatchGuard AuthPoint) wherever possible and to double check that no legacy options to log in (especially remotely) without MFA are still enabled.
As brute-forcing was supposedly used in the attack of my example as well, I also recommend enabling features for brute-force prevention as well. Such features can stop brute-force attempts and disable a user account before the password is known or even block the source ip of an attacker. A good overview about WatchGuard’s features for this and configuration tipps and tricks is documented here: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US
Another lesson learned is that strong Endpoint Security solutions like WatchGuard EPDR should be in place on all clients and servers to avoid blind spots that could lead to compromise and lateral movement. Akira.exe was blocked and quarantined on EPDR protected systems during the attack in the example, but a single unprotected server could be used to remotely steal and encrypt data from other systems. Akira has even compromised IoT cameras with network access to critical systems to launch their ransomware before.
It is also important to keep operating systems and applications up to date. Having a patch management solution in place is very important to do this in an efficient way.
Secure network segmentation, limiting access between systems and enabling security services to scan internal traffic, can also help to stop attacks or limit the scope of attacks. The Intrusion Prevention System of Firebox, for example, is capable of detecting and blocking network scanning, usage of vulnerabilities, and other harmful activities. I read an article about an Akira infection that used a compromised webcam as servers and clients could not be compromised (https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam ) - this underlines the importance of network segmentation, especially for IoT devices.
You should also consider limiting outbound communication by limiting ports and protocols as much as possible and by using Webblocker and other technologies. The site fastupload.io that was used to upload stolen data is categorized as “personal network storage and backup” by Webblocker service. Is it really required to allow such websites for all users and all devices?
I also recommend to be serious about HTTPS Content Inspection to make sure malicious or unwanted content can be identified in encrypted Web traffic.
What else is important?
But it is not only about strong protective measures. It becomes more and more important nowadays to continuously monitor network and endpoint activities to uncover hidden threats and risks. Cyber criminals use sophisticated tools to prepare and launch their attacks making it more challenging to detect and stop them. Network Detection and Response solutions (e.g. WatchGuard ThreatSync+ NDR) can be of huge help to discover anomalies and react before it is too late. In the example shared network scanning activities and file extractions were identfied in the post-breach investigation – a NDR solution could have discovered this while the cyber criminals were still extending their attack and planning the next steps. With alerting and even reaction or remediation capabilities as part of the NDR solution or based on an integration into XDR solution attacks can often be stopped before exfiltration and encryption of data is happening. WatchGuard ThreatSync+ NDR forwards alarms to ThreatSync Core so that remediation can easily happen – e.g. by isolating a host or blocking network communication.
In many cases an investigation of all suspicious activities will be needed to reveal the full scope of a cyber attack. To make sure this happens immediately on first indication of an attack and in a proactive way Managed Detection and Response services should be considered as well. In the example described our team and other specialists where involved after the breach and encryption happened – too late to protect the customer. With MDR services trained cyber security experts get involved before it is too late and investigate and remmediate threats proactively. WatchGuard recently launched Total MDR as a service that covers WatchGuard Endpoint, Fireboxes, AuthPoint and also ThreatSync+ NDR to identify and stop harmful activities regardless of the attack vector – I am very confident that this service (in case protective measures did not catch the attack earlier) would have caught the attacker before any serious impact.
The combination of well configured protections for networks, endpoints and identities with 24/7 monitoring for anomalies and threats is the level of protection needed today to stay ahead. This is real Security for the real World!
