There should be a worn-out quote from Nietzsche about strength, but we didn't write it.
One day this can happen to every system administrator - he comes to work in the morning, checks the infrastructure and finds that on the file server, instead of user data, there is an archive and a text file demanding a ransom. What to do, how to live on and how to prevent recurrence, we understand this article.
A case that happened to the infrastructure of a company that is built on a Windows PC is considered. So, our hero discovered in the morning that on the file server, instead of user files, the archive data.zip and readme.txt. The archive was password-protected, and in the textbook there was a standard requirement to transfer a weighty amount to a bitcoin wallet, send a confirmation of the transfer to the specified mail and receive a password in response. As our ancestors bequeathed to us, they did not enter into negotiations with terrorists, but time passed, and the data had to be restored.
When the situation happened, the task pool got up:
- Recover data
- Set hacking route
- Prevent recurrence
With data recovery, everything is simple - a night copy is our everything. Just in case, we went through the utility for recovering deleted files, but in vain, Eraser obviously worked on the disk. So we set to roll out a backup copy and move on to the point about establishing the hacking route.
We start by examining the "evidence". The dates of creation for the files are approximately the same and as the creator - the local administrator, nothing else interesting. Let's move on to the operating system. In addition to the administrator, the users have an incomprehensible Kelly user with administrative rights. Already more interesting! We look further. Changed network settings - Google addresses are specified as DNS. This is all well and good, but the file server does not have a direct connection to the Internet, so it is not clear how the attacker got to it. Yes, you can get to the server via RDP, but this RDP does not look outward. We are looking further.
The company has a terminal server for employees working remotely. We examine it. There are a lot of brute-force logins in the security logs, but nothing more suspicious. There are no unnecessary users in the system, the settings have not been changed, everything is clean.
Since we are talking about remote employees, we raise the lists of such employees and see how their workplaces are set up. Some of them work on the already examined terminal server, and some on their PCs. And here the entry point was found. On the PC of one of the designers there was a local user Kelly with administrative rights and in his download folder was the WinRar distribution kit with which the data was archived and there was an Eraser for erasing. Okay, we found the point, but how did you get on the car and how did you get on the file server?
A detailed inspection of the designer's machine revealed that network-level authentication was not enabled in the remote access settings and, in addition, the operating system had not been updated for a long time. So, presumably, the attack vector was as follows: scan the port behind which the RDP access is hanging and investigate it for vulnerabilities at the user verification level. Then, using a vulnerability in the system, execute the code that starts the user Kelly and log into the PC. After that, an archiver is thrown onto the PC, Eraser - and it's up to researching the infrastructure and performing malicious actions. It is worth noting here that in this particular case, the company got off cheaply - the employees got in only for the time of restoring files from a backup copy and that's it. Well, the administrator, of course, fell under the distribution for negligence.But attackers could go further - databases or documents with data could not be encrypted, but out of reach. And finally, the backups themselves - it's good that they didn't get to them.
Now the most important thing is how not to become the hero of such an article. Everything is really simple here: the main thing is vigilance. Check yourself against the checklist:
- All operating systems have all the latest updates
- Control all points of entry into the infrastructure
- Don't use simple passwords
- For password authentication, deploy a policy to use only secure passwords
- Expand sign-on by certificates if possible
- Rename administrative accounts where possible
- Use the principle of least privilege
- Internal firewall
- Corporate antivirus
- Offline data copy
- Monitor increased attention to your perimeter and react
What is meant by these recommendations.
Updates to operating systems not only add functionality, but also close vulnerabilities that could be exploited by attackers. It is important to understand that you should not only update the operating system, but all the software that is used in the workplace.
By controlling the exit points to the outside, we mean that you always need to know who, for what reason and how gets into the company's network from the inside. There should be no situations when RDP is sticking out of the accountant's machine on a standard port.
Hundreds and thousands of articles, posts and notes have been written about the need to use secure passwords. But people are divided into those whose passwords were picked up and those who changed them to more secure ones. Let's say it again - the length is from eight characters, the mandatory use of upper and lower case letters, numbers and special characters. Ideally, use a generator, of which there are a lot, both in the network and built into the nearest password manager.
And when we are talking about secure passwords, the policy should not be advisory, but mandatory. Active Directory Group Policies allow scripts to force users to change their password at specified intervals. In addition, a policy is set for the minimum password length and the number of passwords used so that the user does not use two policy-safe passwords, simply changing them as they become obsolete.
Strong passwords are good, of course, but even better - certificate access. Yes, it is more difficult to deploy, inconvenient in places, but it is safe. Think about it, perhaps the cost of implementing a PKI infrastructure will be less than the cost of recovering data lost in a hacker attack.
Renaming administrative records helps against dictionary attacks on accounts like Administrator, Admin, Administrator, and Admin, which are present on systems by default and are rarely blocked. Renaming administrative accounts to a random set of letters and numbers will prevent such an attack. Of course, this step will entail the introduction of, if not a global password manager, then at least a password registry.
The principle of least privilege teaches us not to grant unnecessary rights to perform assigned tasks. A service that, for example, cleans user profiles from temporary files, in fact does not need administrative rights to the file server; it only needs rights to delete files in the profile store. Moreover, it is for removal. You don't need permission to change files either. This will save you from the problem that arises in the event of compromise of credentials, both service accounts, and generally reduce the front of the attack on your infrastructure.
The principle of least privilege also fits into the presence of an activated firewall on user machines and servers. We leave only what is necessary, and turn off or prohibit the rest. If possible, we do not respond to incoming connections. Nothing more is your motto.
Use an antivirus. Yes, users and system administrators always complain that the antivirus interferes with their work, slows down the performance, and this is an extra waste of the company's money and the computing power of computers. But the lack of antivirus will sooner or later play its role and one day the user will launch the file from the letter and decrypting the files will cost much more than a corporate license for the antivirus complex.
It was mentioned above that it's good that we didn't get to the backups themselves. You should always have a copy that is taken out of the infrastructure and access to such copies should be as limited as possible. It is costly to keep such copies up to date, but users will be more happy with files even quarterly old than with complete data loss.
And finally, read the access logs - they contain a lot of interesting things. Implementing a full-fledged intrusion prevention system is expensive, but you can do a lot with your own hands. Analyze the addresses from which the port scan or credential brute-force is coming. Check users' machines and servers regularly for malware.
Of course, even full adherence to these recommendations will not give you a 100% guarantee against hacks, but at least they will reduce the percentage of risk. And do not forget about training employees, because even the most secure system turns out to be defenseless with a complete lack of understanding about the consequences of certain actions. If an employee entered their accounts on a phishing form, then no matter how secure the system is, then the employee has already been compromised. If the access is from an infected machine, then you yourself launch malware into your network. Always be careful, neglect of safety can cause significant damage not only to the employee, but also to the company as a whole.
Now a little about why this was not done in this case. Here, too, everything is simple, like a TM pencil - the designer's workplace was deployed using a pirated assembly. Please don't make such fatal mistakes. Firstly, it is illegal, and secondly, you lose more resources when you clean up the consequences of such negligence towards your IT infrastructure. Take care of yourself and your data. And if you have something to add on the checklist or on the situation in general, then you are welcome in the comments.
Advertising
Our company offers secure servers with free DDoS protection. The ability to use a licensed Windows Server at plans with 2 GB of RAM or higher, create server backups automatically or in one click.
We use extremely fast server drives from Intel and do not save on hardware - only branded equipment and some of the best data centers in Russia and the EU. Hurry up to check.