Sophos has released findings from an incident involving Midas ransomware that took place over two months and involved extensive lateral movement through the target’s network to compromise machines and accounts, run PowerShell scripts, and seize more than 2,000 files before launching the ransomware in early December. The findings are detailed in a new article, “Windows Services Lay the Groundwork for a Midas Ransomware Attack.”
The target is a technology company with fewer than 100 staff. At the time of the incident, most employees were working remotely due to the ongoing pandemic. The company has a wide range of remote services and access tools installed. A number of the remote access tools were “ghost” tools: no longer in use but still installed and the attackers were able to leverage some of them, including AnyDesk and TeamViewer, in the attack.
Chester Wisniewski, principal research scientist at Sophos said: “The traditional security perimeter no longer exists. Today’s IT environment has a dynamic boundary, marked by a cloud-based, virtual IT infrastructure and internet-facing assets. This requires a revolutionary new approach to cybersecurity, one that doesn’t take anything on trust, ever. The investigation into the Midas ransomware incident shows what can happen when an attacker successfully breaches a victim’s perimeter and there are no internal restrictions.
“The attackers were able to spend nearly two months undetected in the victim’s IT environment, taking advantage of limited access controls and network and application segregation, as well as no-longer-used, “ghost” remote access tools, to move laterally, target and compromise other machines, create new accounts, install backdoors, and exfiltrate data, before releasing the ransomware during a holiday weekend when no-one was watching. Alongside the urgent need to remove unused tools and services, a robust defense against such attacks requires an approach to security known as Zero Trust Network Access (ZTNA.) ZTNA demands verification of every endpoint, server and user before granting access to an application or any part of the networks. As adversaries grow ever more skilled in exploiting remote tools and credentials and turning a target’s security policies against them, a defense-in-depth approach to security based on the concept of: of ‘trust nothing, verify everything’ will become the benchmark for protection.”
(To learn more about other “ghost” tools used in attacks, read Nefilim Ransomware Attack Uses Ghost Credentials on Sophos News).