CASE STUDY
Reacting Quickly to a Compromised Server Immediately Stopped Attackers
OVERVIEW
Industry: Tourism
Incident: Ransomware
After a weak test account left its servers open to infiltration, a leading tourist attraction developer hired Pragma to contain the breach and protect their data.
THE INCIDENT
SUMMARY
- The Threat Actors (TA) conducted a brute force attack against the Fortigate Firewall.
- Malware from the Phobos family of ransomware encrypted some files for ransom.
- The criminals gained access and uninstalled Norton anti-malware.
- At the point of first contact with Pragma, no data exfiltration had occurred.
A leading tourist attraction developer contacted Pragma after the IT Manager discovered unusual activity on one of their servers. This company, whom we’ll refer to as LT. showcases high-quality tourist projects throughout Asia. LT creates unique cultural experiences at special sites throughout Asia. A data breach would have harmed their credibility and exposed them to many costs to repair the damage.
First Contact
The IT Manager first noted suspicious activity on the morning of February 24, 2020. The initial indicator was suspicious activity against their Fortigate firewall. Through analysing this activity, the IT Manager saw a breach had occurred. They found encrypted files on LT’s servers.
The IT Manager saw a clear pattern of suspicious behaviour. The attackers attempted port enumeration to enable lateral movement in the network.
Password dumping by the criminals opened possibilities for privilege escalation. The threat actors attempted to open and exploit weak ports to target the Symantec Endpoint Protection. This allowed them to successfully execute the malware.
Seeing this level of malicious activity caused the IT Manager to seek help. Pragma was engaged to contain the breach,analyse the threat, and restore LT’s security perimeter.
THE RESPONSE
SUMMARY
- Investigations revealed the dates of the infiltration and the specific ports targeted.
- The Cyber Incident Response Team (CIRT) compared the firewall configuration from before and after the attack to discover port forwarding and RDP vulnerabilities.
- All attacks occurred through a test user account with a weak password.
- Pragma determined no data, especially Personally Identifiable Information, was extracted during the attack period.
Very quickly, Pragma’s CIRT discovered the attackers used a brute force strategy. They targeted a public HR server using the Remote Desktop Protocol. Through this vulnerable spot,the threat actors tried to move laterally through the network.
In addition to the initial attack,a second attack was suspected. Another set of folders on a different server was encrypted through Server Message Block (SMB) file share. By analysing the timestamps and conducting a forensic investigation, the CIRT dismissed the existence of a second attack.
Containing a single breach and restoring operations were the next steps for Pragma and the client to take together.
OUR RECOMMENDATIONS
Backup Scanning and Restoration
Anti-Malware Software
Updated Firewall Rules
User Access Management
Vulnerable Port Scanning
Password Strengthening
THE RESULT
With annual revenue in excess of 30 million SGD,a rapid resolution for LT was critical. LT could not function during the ransomware attack.The IT Manager’s quick identification of malicious activity enabled Pragma’s Cyber Incident Response Team to act rapidly.
The CIRT contained the breach within a few days and full control was given back to LT after approximately 1 week. This included the time taken to reconstruct a critical database for which there were no backups. After a short recovery window, the client was fully operational and more secure than before.