• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

InfoSec News

  • Home
  • Subscribe to InfoSec News
  • Contact Us
  • Advertising
  • Privacy
  • About

PsExec

New Zealand CERT issues advisory on ransomware campaign

June 18, 2020 By William Knowles

InfoSec News

New Zealand CERT issues advisory on ransomware campaign

By William Knowles
Senior Editor
InfoSec News
June 18, 2020

The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies.

Unknown malicious cyber bad actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.

After gaining access, these cyber bad actors use various tools including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. The issue cannot be resolved by simply restoring data from backup due to the level of access gained before deploying ransomware.

Active ransomware campaign leveraging remote access technologies

We are aware of attackers accessing organizations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.

The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup.

What’s happening

Systems affected

Attackers access an organization’s network through vulnerable remote access technologies. This could be by:

  • unpatched software,
  • weak authentication, or
  • lack of multi-factor authentication (MFA).

From there, any system on the network may be affected. Citrix remote access technologies have been reported as a common way for attackers to gain access.

What this means

Once an attacker gains a foothold through the remote access system, they use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.

The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information, they want they attempt to sell or publicly release the information.

Due to the level of access gained before deploying ransomware, merely restoring data from a backup won’t resolve the issue. Remediation will require an in-depth investigation of all compromised or potentially compromised systems to fully eradicate the attacker and to identify the security improvements necessary to prevent another attack.

What to look for

How to tell if you’re at risk

Any network that has does not have appropriately secure remote access is at risk.

How to tell if you’re affected

Check your remote access systems for any sign of unauthorized access. If any unauthorized access is detected, further investigation will be required to determine any lateral movement across the network.

If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):

  • files with a .NEFILIM extension
  • a file called NEFILIM-DECRYPT.txt may be placed on affected systems
  • batch files created in C:\Windows\Temp

The following public reporting includes IOCs specific to Nefilim ransomware:

  • Trendmicro’s investigation into Nefilim
  • Sentinal labs write up on Nefilim
  • Indicators of compromise from Alienvault

What to do

Prevention

Ensure that all remote access systems are:

  • up-to-date with security patches
  • strictly enforcing strong authentication (strong passwords and MFA).

Mitigation

CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack.

  • Network segmentation
  • Application whitelisting

More information

Advisory: exploitation of Citrix remote access systems

CERT NZ critical controls

If you require more information or further support, submit a report on our website.

Report an incident to CERT NZ

Filed Under: News Tagged With: Alienvault, CERT, CERT NZ, Citrix, Cobalt Strike, InfoSec, InfoSecNews, IOC, MFA, Mimikatz, NEFILIM, Nefilim ransomware, Passwords, PsExec, Ransomware, RDP, Sentinel Labs, SentinelOne, TrendMicro, VPN, Windows

Primary Sidebar

InfoSec News Stock Ticker

Ticker Tape by TradingView

Latest Tweets from InfoSec News

Tweets by @InfoSecNews_

Popular Tags

Business Continuity CEH China Citizenfour COVID-19 COVID19 Crypto Cryptography Cyberattack Cybercrime Cyber Crime CyberCyberCyber Cybersecurity Data Breach Disaster Recovery DoD EC-Council Edward Snowden Encryption Espionage FBI FISMA Google Hacker Hackers Hacking InfoSec InfoSecNews InfoSec News Intelligence Jay Bavisi Malware Microsoft NSA OPSEC Passwords PII Ransomware Russia Security SnowdenWatch SSN USCYBERCOM Wolfking Awesomefox XSS

Upcoming Events

  1. Black Hat USA 2020

    August 1 - August 6
  2. DEF CON Safe Mode

    August 6 - August 9
  3. THOTCON 0xB

    September 11 - September 12

View All Events

RSS PacketStorm Security Advisories

  • Ubuntu Security Notice USN-4442-1
  • Gentoo Linux Security Advisory 202007-58
  • Gentoo Linux Security Advisory 202007-57
  • Gentoo Linux Security Advisory 202007-56
  • Gentoo Linux Security Advisory 202007-55
  • Gentoo Linux Security Advisory 202007-54
  • Gentoo Linux Security Advisory 202007-53
  • Gentoo Linux Security Advisory 202007-52
  • Red Hat Security Advisory 2020-3194-01
  • Red Hat Security Advisory 2020-3192-01

RSS National Vulnerability Database

  • CVE-2020-6098
  • CVE-2020-13971
  • CVE-2020-13970
  • CVE-2020-11474
  • CVE-2020-11476
  • CVE-2020-13997
  • CVE-2020-10982
  • CVE-2020-10983
  • CVE-2020-10984
  • CVE-2020-10985

Archives

  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • October 2019
  • September 2019
  • August 2019
  • June 2019
  • April 2019
  • March 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • August 2018
  • July 2018

Copyright © 2020 · News Pro on Genesis Framework · WordPress · Log in