A student’s eagerness for free software and the willingness of the European biomolecular research institute he worked at to allow personal computers for network access recently proved to be a terrible combination.
While the unnamed facility had backups, they were not fully up to date, so the attack cost researchers a week’s worth of vital research data. In addition, all computer and server files had to be rebuilt from the ground up before the institute’s data could be restored.
“Perhaps the hardest lesson of all, however, was discovering that the attack and its impact could have been avoided with a less trusting and more robust approach to network access,” said Sophos, which investigated the incident.
It all began with a student seeking a personal copy of a data visualization software tool being used at work. A single-user license was likely to cost hundreds of dollars a year, so they posted a question on an online research forum asking if anyone knew of a free alternative.
When the student couldn’t find a suitable free version, they searched for a “Crack” version instead. What they got was malware. It did trigger a security alert from Windows Defender on the student’s computer, which blocked the download. Instead of taking the hint, the student disabled the protection. What was downloaded was an information stealer that began logging keystrokes, stealing browser, cookies and clipboard data and more.
It apparently also found the student’s access credentials for the institute’s network. Thirteen days later, a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials. Ten days later, the attackers launched Ryuk ransomware.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” Peter Mackenzie, manager of rapid response at Sophos, said in the report. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
Human error can happen in any organization, the report says. The mistake was able to progress to a fully-fledged attack because the institute didn’t have the protection in place to contain the error. “At the heart of this was its approach to letting people outside the organization access the network. Students working with the institute use their personal computers to access the institute’s network. They can connect into the network via remote Citrix sessions without the need for two-factor authentication.”
The report makes several recommendations to help avoid network access abuse:
- Enable multi-factor authentication (MFA), wherever possible, for anyone required to access internal networks, including external collaborators and partners.
- Have a strong password policy in place for everyone required to access internal networks.
- Decommission and/or upgrade any unsupported operating systems and applications.
- Review the use of proxy servers and regularly check security policies to prevent access to malicious websites and/or the downloading of malicious files by anyone on the network.
- Lock down remote desktop RDP access with static Local Area Network (LAN) rules via a group policy or access control lists.
- Implement segregation for any network access, including for LANs (or consider using virtual LANs) and where necessary hardware/software/access control lists are necessary.
- Continuously review domain accounts and computers, removing any that are unused or not needed.
- Review firewall configurations and only whitelist traffic intended for known destinations.
- Limit the use of admin accounts by different users as this encourages credential sharing that can introduce many other security vulnerabilities.