Approximately 14 months before encryption and wiper attacks initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604. After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx, error4.aspx, ClientBin.aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment. Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware. This malware is usually hidden in legitimate startup folders or within scheduled tasks and services, making it harder to find.
After you reboot your system or log off and on again, the stub or malware is retriggered to run again. In other words, persistence enables hackers who gain access into your environments to keep it—oftentimes without you knowing they have access in the first place (Vlsaggio & Blasio, 2010).
The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group. They made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.
Clients mostly are working in a narrow bandwidth for their own needs, while servers are processing a huge data base coming from different customers and entities, and operating with a large bandwidth. In this context the authors were much more interested to transfer big data from the centralized servers than from peripheric servers of the customers. Approximately twelve months after initial access and two months before launching the destructive cyber-attack, the actors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance. The actors’ activity primarily involved two compromised accounts. The actors executed the “Advanced Port Scanner” (advanced_port_scanner.exe). There was also found evidence of Mimikatz usage and LSASS dumping.
For the encryption component of the cyber-attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or. lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.
In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe). Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim’s network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server (Namitha & Keerthijith, 2018).
The same attack that happened in governmental infrastructures, happen 2 weeks ago in Albanian State Police Infrastructures, especially in TIMS infrastructure. Total Information Management System (TIMS) - The USG aided implement within the ASP a sustainable, modern, and integrated, information management system toenhance capabilities in criminal investigation, case management, criminal intelligence analysis, border control and overall police administration.
This system is a closed system and the reason that this system and other systems of ASP were attacked was because all these systems were in the same domain with Microsoft Exchange infrastructure, which in this case also was used for the attack. It was discussed among the specialist and debated with decision making (highest level of politics), about the system, to be closed or open, centralized, or de-centralized. While the IT specialist propose for a decentralized system (open system) the politics decides for centralized system (closed one). Having a big data system centralized, being in the same domain, had a high risk because of the hacking the system, as it happened during the cyber-attack. The system was attack in the main domain, which collapse e-Albania as a whole system.
If the system would have been de-centralized, the situation may have been different in positive aspects, being more protected from the attack.
To overcome the situation and investigate about it, there are several actors involved. We can mention Microsoft DART, that immediately sent the team in Albania to help solve the issues, NATO team was also present to help and give their support and expertise. Related to the investigation, it is still ongoing by the Persecutor and Cyber Unit (part of ASP) and since the beginning the FBI has also been presented to investigate and help Albanian authorities. They also have made a detailed report about what has happened this case. John Group International was also present with their Cyber Team.
Initial access
Timeframe: Approximately 14 months before encryption and wiper attacks.
Details: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.
Persistence and Lateral movement
Timeframe: Approximately several days to two months after initial compromise.
Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.
Exchange Server compromise
Timeframe: Approximately 1-6 months after initial compromise.
Details: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group.
Likely Email exfiltration
Timeframe: Approximately 8 months after initial compromise.
Details: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.
VPN activity
Timeframe: Approximately 12-14 months after initial compromise.
Details: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance. The actors’ activity primarily involved two compromised accounts. The actors executed the “Advanced Port Scanner” (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.
File Cryptor (ransomware-style file encryptor)
Timeframe: Approximately 14 months after initial compromise.
Details: For the encryption component of the cyber-attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.
Wiper attack
Timeframe: Approximately 14 months after initial compromise.
Details: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim’s network (CISA, 2022).
Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server.
It is recommended organizations apply the following best practices to reduce risk of compromise:
· Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.
· Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.
· If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known exploited vulnerabilities.
· Monitor for unusually large amounts of data (i.e., several GB) being transferred from a Microsoft Exchange server.
· Check the host-based indications, including webshells, for positive hits within your environment.
· Maintain and test an incident response plan.
· Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.
· Properly configure and secure internet-facing network devices.
o Do not expose management interfaces to the internet.
o Disable unused or unnecessary network ports and protocols.
o Disable/remove unused network services and devices.
· Adopt zero-trust principles and architecture, including:
o Micro-segmenting networks and functions to limit or block lateral movements.
o Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.
o Restricting access to trusted devices and users on the networks.