CYFOR Blog

A collection of cyber security case studies that highlight the cyber threats posed to organisations and how CYFOR were able to mitigate them.

A Ransomware Attack on an SME

CYFOR were instructed to assist a medium-sized software development company (“the client”) that had fallen victim to a ransomware attack over the Christmas period.

The Scenario

The first evidence to the client that the attack was occurring was a support call received from a customer that they could not access their cloud environment. Internal investigations revealed that many systems both in the cloud (including Office365) and back-office were compromised and files on them had been encrypted. Both the internal development and external customer-facing networks had been attacked and compromised.

Unfortunately, in this case, recent backups had been encrypted and months of work was lost. A ransom demand was left on the systems asking for a large sum (several millions of USD) in cryptocurrency, and the attackers had provided evidence of some data exfiltration from the corporate network. This is a common Modus Operandi for attacks using this, and similar, variants of ransomware.

The strain seen in this study falls under “Ransomware as a Service” (RaaS), an illegal business model whereby the developers of the ransomware are detached from the attackers and request under license that any profits made through the attack are shared with them. RaaS attacks are common and can be conducted by less skilled or experienced attackers in a similar manner to commercial off the shelf software, the low barrier of entry to such attacks, unfortunately, sees them on the rise.

The Investigation

It was discovered at the start of the investigation that steps were taken by the client to mitigate against the attack that were unsuccessful; a complete rebuild of the domain controller was performed but the attackers had maintained persistence through remote management software on the Systems Administrator’s machines. The impact of the attack was reduced by; CYFOR taking action to isolate the affected networks from the internet completely; removing access from the attackers; and generating new credentials for cloud accounts to which they had gained access.

CYFOR connected an infected machine to a completely separate internet connection to facilitate remote analysis during the Covid-19 pandemic. Analysis of the machine uncovered persistence services, network scanning software, and remote management software being used by the attackers to propagate through the network. The ransomware was discovered on the machines under a false Windows Explorer binary.
Once the method of access and variant of ransomware was discovered full system reformats were actioned to quickly remove them from the system.

Recommendations

CYFOR recommended that the client implement multi-factor authentication and strong password policies across their estate. The use of multi-factor authentication is important as it provides another barrier against attack through compromised credentials. The use of multi-factor authentication can warn of an attack if the user catches the attempt and denies it. Other recommendations included the re-structure of the client’s corporate network to be more resilient to attack and to replace end-of-life hardware. The previously flat network structure and use of obsolete hardware provided an easy target for the attackers.

Ongoing Support

CYFOR provided remediation assistance during and after the attack, securing their network devices as much as possible and then going on to provide improved replacements with enhanced functionality. We now work with this client on an ongoing basis to assist with cyber security and IT support.

Vulnerability Assessment and a UK Law Firm

A law firm based in the UK (“the client”) had approached CYFOR to run internal and external vulnerability assessments against their IT infrastructure. As a result of the extensive findings and recommended remediation, the client now has an ongoing relationship with CYFOR for IT and cyber security support.

The Assessment

A series of questions were asked in order to ascertain the state of security within the business. One significant finding was that there was a lack of multi-factor authentication in place for emails due to their email supplier not supporting it. Multi-factor authentication is an important addition to security as it makes the compromise of accounts much more difficult; a software token or mobile phone authentication is needed as well as credentials.

CYFOR provided a proprietary appliance to the client. The appliance is very easy for non-technical clients to install. It requires only an active network port and power supply. Once plugged in, the appliance is only accessible to CYFOR IT specialists. The appliance uses industry-leading proprietary software to scan for vulnerabilities on the network. Once the scans had completed a report was produced showing many vulnerabilities in their IT infrastructure including out of date software, hardware, and operating systems.

Remediation

After receipt of the report, the client had agreed to use CYFOR for remediation work and a plan was set in action to resolve the outstanding vulnerabilities:

• Their document and collaboration platforms were moved to Office365 to enable the use of multi-factor authentication and to retire the vulnerable server.
• Documents were migrated onto Office365.
• Open ports were closed for their external interfaces.
• All vulnerable hardware and software were decommissioned.

With these changes in place, the client has a significantly improved security posture. The vulnerable server in use before remediation was a very easy target for attack if on the same network. Some of the vulnerable hardware and software in use was no longer supported by vendors and as such could no longer receive security updates.

Ongoing Support

CYFOR provides a help desk service that is available for any support queries the client may have. CYFOR manages software such as anti-malware on end-user devices to keep them secure and maintain real-time health checks on hardware and software patch levels to make sure everything is running smoothly and securely.