Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A ransomware gang very likely to be BlackBasta was recently caught in the act – here’s what a cyber attack looks like step by step.
Security researchers at ReliaQuest recently observed the aftermath of a ransomware attack on a victim in the manufacturing sector. The time it took for the threat actor to make its initial breakout was staggering.
All it took for the hackers – most likely the BlackBasta operation, given the tactics and techniques used – to go from initial contact to moving laterally within the victim’s network was just 48 minutes.
Perhaps even more alarmingly, the time could have dropped to just eight minutes under the right – or, more accurately, wrong – conditions.
Contact to breakout
The hackers made initial contact via a wave of spam emails from an “onmicrosoft.com” email address targeting just 15 workers. The hackers then posed as help-desk staff to assist in addressing the spam messages. Two employees were then contacted via Microsoft Teams and convinced to give remote access to their systems via Quick Assist.
One user gave the threat actor control of their machine for more than 10 minutes, which was all the hacker needed to move forward.
A malicious DLL that appeared to be a OneDrive update was then installed, allowing the hackers to evade detection by appearing legitimate. Communication attempts to the attacker’s command and control infrastructure began just seven minutes after initial contact, and attempts at lateral movement within the network one minute after that.
Though this initial attempt largely failed, the threat actor was able to quickly pivot to combining remote desktop protocol and PowerShell to begin propagating the malicious updater across the network via compromised admin accounts.
Within 48 minutes, the entire network had been compromised.
Escalation and exfiltration
Next, the attacker accessed a service account with access to an SQL database, though how this was achieved remains unknown due to limited system logs. A domain admin account was then created, alongside domain admin permission groups and more user accounts.
The commonly used tool SoftPerfect Network Scanner was then used to look for vulnerable targets within the network as a precursor to data exfiltration.
“Between January 2024 and July 2024, ReliaQuest found that 85 per cent of compromises involved service accounts,” ReliaQuests researchers said in a 20 February blog post.
“These accounts are frequently targeted as they are often over-privileged and poorly secured. Service accounts serve as a critical foothold for attackers, offering weak controls that can be abused at various stages of the attack life cycle, as observed in this attack.”
Finally, the exfiltration process began, using a combination of the elevated file permissions to access data and the open-source file manager WinSCP. Data was exfiltrated to a remote server under the attacker’s control hosted at “pefidesk[.]com”.
The entire attack took just 30 hours.
According to ReliaQuest, breakout times are expected to shrink even further, possibly to as fast as 30 minutes from initial contact to lateral movement. In addition, ReliaQuest’s researchers expect help-desk impersonation and similar social engineering techniques to become only more common in 2025.
Some level of security automation is, therefore, a key part of containing sophisticated threat actors.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
