This post was written with contributions from Joseph Lozowski.
Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security.
IBM Security X-Force responds to security incidents across the globe, and from those incidents, X-Force gains valuable insights into how adversaries can gain access to organizations to carry out their attacks. In this blog, we will highlight three incidents where Shadow IT was leveraged during the attack to help organizations realize how Shadow IT can quickly transform from a threat to an incident.
WannaCry About Some Rogue Systems
X-Force responded to an incident where a client had received a network-based alert for an endpoint within their network attempting to connect to a malicious domain. X-Force was able to trace the alert back to a small unknown deployment of unpatched Windows 7 systems within one of their facilities. These systems were operating completely outside the purview of the security team and were not protected by any of the organization’s security tooling.
Through X-Force’s investigation, it was determined that one of the rogue Windows systems downloaded a WannaCry dropper (mssecsvc.exe) and upon execution attempted to make a connection to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. After the initial connection attempt, a new service was created named “Microsoft Security Center 2.0.” Following the creation of the Microsoft Security Center 2.0 service, the service loaded two embedded resources responsible for facilitating the spread of the WannaCry ransomware through SMB by making use of the MS17-010 exploit named “EternalBlue.” X-Force noted that this behavior is in complete alignment with the standard WannaCry infection and spread that has been well-documented.
X-Force analyzed the remainder of the Windows 7 systems in the rogue deployment and determined the WannaCry infection was able to spread via SMB as expected. The systems were vulnerable to the exploit because they also had open SMB connections, which enabled them to pass files between each other to facilitate the printing function for which they were used. X-Force Incident Response (IR) observed the creation of the WannaCry executables had been created over several years, indicating the systems had been running outside the scope of IT management for a significant amount of time.
In this case, the risk to the organization remained rather low since the infection and follow-on spread were opportunistic, and X-Force uncovered no activity that indicated an adversary gained interactive access to the systems. However, the length of time that the rogue systems were able to remain undetected by the organization shows that had an adversary been able to gain access to the rogue systems, the potential for further exploitation and lateral movement into other parts of the facility’s network was possible.
Why Break in When You Can Walk Through an Open Door
During a different engagement, X-Force was notified by a client that their security team had detected a brute force attack against their internal Microsoft Active Directory. The client had not detected any successful authentications associated with the attack but was beginning to receive complaints of account lockout. They were unable to determine the source of the attack.
In normal circumstances, the client’s security team would leverage the data available within the default authentication events stored within the Windows Event Log — in this case, Event ID 4625 — to track the source of the authentication attempt by either the Source Network Address or Workstation Name attribute. However, in this case, the security team was unable to locate any event logs associated with the ID 4625.
X-Force investigated the logs from the domain controller and identified a common logging pattern indicating an external endpoint was attempting to authenticate using the NT LAN Manager (NTLM) protocol over Kerberos. In this scenario, the domain controller will log consecutive events associated with event ID 4776 followed by an event ID 4740 indicating that the user has been locked out.
Event ID 4776 is logged when a domain controller tries to validate the account credentials using NTLM over Kerberos. 4776s are also logged for local SAM authentication for Windows workstations and servers as NTLM is the default authentication mechanism.
According to the client’s IT and security team, the source workstation referenced in 4776 events was not a member of their domain and they had no endpoints registered with that name in any of their network or asset management tools.
To track down the source of the authentication attempts, X-Force instructed the client to enable Netlogon debugging logs on their domain controllers. Netlogon debugging logs are stored in C:\Windows\debug\netlogon.log and will capture the name of the target machine involved in the authentication attempt. X-Force requested the client provide the logs from the target machine recovered from the Netlogon debug logs, however, the client’s security and IT teams did not have any records of the target system being a valid endpoint within their domain.
Further analysis of the available endpoint and network telemetry allowed X-Force to pinpoint that the target system reference in the debug logs resided within the client’s AWS account. Following containment and remediation of the threat, X-Force worked with the client’s IT team to determine that root cause of the attack was an Internet-accessible Windows server. The server was deployed within the client’s AWS account with the appropriate networking capabilities to communicate to the client’s internal Active Directory domain.
The Windows server in AWS was meant to be deployed temporarily and was not deployed with any of the organization’s security tooling or best practices, such as MFA or password complexity. The server was never decommissioned, and an opportunistic adversary gained access to the server using RDP, which ultimately provided access to the client’s internal network.
Fortunately, the client was able to detect the password guessing attempts and contact X-Force to contain and remediate the incident before the adversary was able to move laterally. However, the rogue EC2 instance enabled a remote adversary to bypass all the security team’s perimeter security controls and exist on the network in a virtual blind spot — undetected by the internal security tooling.
A Bridge Too Close to APT
X-Force has responded to hundreds of ransomware cases over the years. While ransomware incidents typically follow a well understood lifecycle as detailed in the Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.
During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest. However, X-Force was able to uncover evidence indicating the adversary had pivoted throughout the entire forest to execute the attack.
X-Force traced the evidence across the forest root domain to another child domain where the adversary had maintained persistence access for 381 days. While monitoring the environment, X-Force detected the adversary return to the environment from an IP range unknown to the client’s IT department. Working with the client’s IT team, X-Force and the client traced the activity back to the security office, where a rogue networking device was discovered that was installed to share badge printing capabilities between the client and another organization.
While interviewing the client and the other organization, the bridged network was unknown to all IT departments and had allowed the adversary to pivot back and forth and operate outside of the visibility of both security teams. This is a worst-case scenario for Shadow IT. Had X-Force not been persistent during the investigation and followed the evidence to determine the root cause of the attack, the adversary would have maintained access to the environment and could have executed another ransomware attack against the client.
Shadow IT Preparedness
Shadow IT can introduce unnecessary risk to an organization because blind spots are the enemy of security. X-Force recommends organizations implement a prevention, detection, and response strategy with regard to Shadow IT to achieve a holistic approach to risk management.
If you are interested in learning more about how to prevent, detect, and respond to Shadow IT within your organization, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for the threat of Shadow IT.
If you have questions and want a deeper discussion about Shadow IT prevention, detection, and response techniques or to learn how IBM X-Force can help you with incident response, threat intelligence, or offensive security services schedule a no-cost follow-up meeting here: IBM X-Force Scheduler.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
Lastly, download the 2022 Definitive Guide to Ransomware to fortify your knowledge and defenses against ransomware threats here.
Head of Research, IBM Security X-Force
John (@TactiKoolSec) is the Head of Research for the IBM Security X-Force where he leads research efforts to understand and model adversary operations, devel...