A ransomware attack using the Netfilim variant recently hit an organization hard, affecting more than 100 systems.
The source of the attack: A compromised administrator’s account with high-level access, which was taken over through a vulnerable Citrix application more than four weeks after attackers released the ransomware.
The account should have been closed because the admin had died weeks earlier.
Instead, according to a report on the incident released Tuesday by security vendor Sophos, after capturing that account the attackers were able to quietly move through the network and steal credentials for a domain admin account using the Mimikatz tool. They then found and exfiltrated hundreds of gigabytes of data before unleashing the ransomware.
Management kept the account active because it was used for a number of services.
It’s not the first example of security leaders leaving a vulnerability open by failing to keep track of user credentials, Sophos said in the blog. In a separate incident, it found that intruders had created a new user account and added it to the target’s domain admin group in Active Directory. With this new domain admin account, the attackers were able to delete approximately 150 virtual servers and encrypt the server backups using Microsoft Bitlocker.
“Staying on top of account credentials is basic, but critical cybersecurity hygiene,” Peter Mackenzie, manager of Sophos’ Rapid Response service, said in the blog. “We see far too many incidents where accounts have been set up, often with considerable access rights, that are then forgotten about, sometimes for years. Such ‘ghost’ accounts are a prime target for attackers.”
But if you really need them …
If an organization really needs an account after someone has left the company, he added, a service account should be created to deny interactive logins to prevent any unwanted activity.
“The danger is not just keeping outdated and unmonitored accounts active; it is also giving employees greater access rights than they need,” Mackenzie wrote. “Fewer accounts need to be a domain admin than most people think. No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task. Further, alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows.”
The U.S. National Institute for Standards in Technology’s (NIST) security and privacy controls says that organizations have to notify IT user account managers not only when individuals access rights may need to be changed, but also when accounts are no longer required, such as when users are terminated or transferred.
Sophos offers this advice for managing user accounts:
- Only grant the access permissions needed for a specific task or role;
- Disable accounts no longer needed;
- If you need to keep an account active after the original owner has left the organization, implement a service account and deny interactive logins;
- Carry out regular audits of Active Directory: Active Directory Audit Policies can be set to monitor for admin account activity or if an unexpected account is added to the domain admin group.