Was this the most vanilla ransomware attack ever? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

BHI Energy, a services and staffing firm for industrial, oil & gas, and power generation markets, says a ransomware attack in late June 2023 started with the May 30 use by attackers of credentials belonging to a “previously compromised user account of a third-party contractor.”

In an incident report for what looks like the quintessential low-hanging-fruit ransomware attack, cybercriminals used the credentials to reach the company’s internal network through a VPN connection seemingly not set up with MFA, poked about undisturbed for a month, exfiltrated data including “a copy of BHI’s Active Directory database” and then finally detonated the Akira ransomware a month later on June 29. 

BHI Energy reported the incident on October 17, sharing more details in a letter to the Office of the Attorney General of Iowa, as first published by Bleeping Computer. The threat actor managed to exfiltrate 767,035 files. 

BHI has since “extended its deployment of EDR and antivirus software within the environment; performed an Enterprise Password Reset; decommissioned legacy and unused systems; and implemented multi-factor authentication on its remote access VPN,” it said. 

Either the use of credentials for a VPN or (a moderate step up the skills ladder by attackers) abusing unpatched vulnerabilities in VPN software, remain a hugely common source of cybersecurity pain for businesses.

The hugely impactful ransomware attack on Colonial Pipeline in 2021 that halted operations on a pipeline that moves some 2.5 million barrels per day of gasoline, diesel, and jet fuel from Houston to the East Coast also started with use by attackers of a VPN account that had been set up with no MFA. i.e. One user name/password combination was all it took. 

Organisations successful in having moved most applications to the cloud should seriously consider building out more of a “zero trust” approach which often involve doing away with traditional VPNs altogether, or entails taking a hard look at how and why you are using your VPNs (on-premise file shares hold many smaller organisations back.)

As the Department of Defense has put it bluntly: “VPNs pose a threat to enterprise security. They create a path in the network perimeter and provide access to network resources after authentication. The conventional approach cannot provide a method to intelligently confirm the identities of users and entities attempting to access the network or provide adaptive policy enforcement based on authentication.”

Network defenders can also review Implementing Phishing-Resistant MFA.


Click Here For The Original Source.

National Cyber Security