After a severe cyberattack, returning your information system to operational conditions can be complex, lengthy and costly. But a systematic and rigorous approach is essential unless you want to leave the assailant and open the door to come back. Unfortunately, in-depth cyberattacks often involve a compromise of the Active Directory infrastructure.
This translates into a slow and laborious reconstruction, as described at the end of September 2021 CEO of the Software group. At the beginning of 2019, the director of the Cybersecurity practice at Wavestone detailed in LeMagIT the first challenges of the technical aspect of crisis management. And these are still valid almost three years later.
Constraining Interdependencies
It starts with accessing backups because it’s common for the backup servers to have been encrypted. At this point, the question of whether or not to choose to restore from them, depending on the assumed extent of the compromise, does not even arise. And to rebuild the index of backups, “often it takes several days” of work with the tools available on site. Gerald Ferraro made the experience painful.
But to make matters worse, “the backup server is very often itself dependent on the directory,”; a use by cyber criminals to attack backups. So, one of the primary measures to take before an incident consists of “ensuring that the restoration procedures can be launched, even in a situation where there are no longer the traditional support functions”.
Part Of The Doubt
But when one is led to suspect an attack on the directory’s integrity, the restoration appears very difficult. And we take the opportunity to apply the proper rules of Active Directory architecture, which were often not there before”. From there, it becomes possible to plan to recover carefully by cleaning carefully, if necessary, the data of applications that were not the attack’s target.
This brings us back to the more than delicate question of the purpose of the attack: “it’s action 0, or almost, when you arrive at a cyber incident; investigate to determine the purpose of the attack” because it depends on the trust that can be granted to the information system and backups.
It may seem paradoxical, but while intercepting attackers before (for example) they trigger ransomware is good news, determining their true motivation and objectives can be very difficult, if possible. However, analyzing markers related to the infrastructure they used in the attack can help with attribution. But whatever the case, recalled Gérôme Billois, “we have to move forward, even in the absence of absolute certainty”.
For Cyrille Barthelemy, CEO of Intrinsic, it’s straightforward: “in the event of a compromise of an Exchange server, the risk of domain compromise must be considered de facto, and even the fact that the risk has been escalated to other domains via a forest And there, things can quickly become very complicated.
At Considerable Risk
For him, in such circumstances, it is necessary “to take measures to assess the compromise”, namely: “verification of existing and created privileged accounts, reset of privileged passwords, double reset of Kerberos accounts”. Cyrille Barthelemy adds other operations such as “auditing the Active Directory by already using tools like PingCastle or Alsid” and “investigating the servers concerned – Exchange infrastructure, domain controllers, etc.
Depending on the results of these investigations, it is appropriate to “consider the need to rebuild a trust bubble with a new Active Directory”. This an operation to which many ransomware victims have, unfortunately, not escaped. Regarding the change of passwords for user accounts, administrators, or even application accounts, faced with the threat of an attack in progress… “I especially saw people doing urgent things previously considered impossible . Because there was no other choice”.
Still, the real difficulties usually crystallize on service accounts, those that are not linked to human users. And, explains Laurent Besset, Cyberdefense director of I-Tracing: “it’s not a problem of tools, because, for almost ten years now, certain safe solutions have had functionalities allowing to manage the storage and the renewal of machine-to-machine accounts” “many organizations have accumulated significant technical debt over the years and gradually lost control of some or all of the technical accounts.”
An Essential, Rigorous Cleaning
Alas, this methodical cleaning work is not carried out. In that case, the victim exposes himself to the risk of being attacked again, potentially by the same group of cybercriminals, even if different ransomware is used. The known cases are few. But at the beginning of June, TPI Corporation appeared on the showcase site where the Conti gang and its associates display the victims who refuse to give in to them.
In February 2021, the name of this company was displayed on the DarkSide operations showcase site. But according to Emsisoft data, TPI Corporation had already been attacked by a Maze shill in the spring of 2020! In mid-May, an attack carried out against the German Seifert Logistics was claimed by the mafiosos of Conti. Those of Pysa had been there several months before, in September 2020.
At the beginning of May, Lydall received the honors of the showcase site of REvil/Sodinokibi following an attack which probably occurred in April. But a sample of DarkSide ransomware, which surfaced at the end of that month, allowed access to a dedicated page on the showcase site for this ransomware, which referred to March 16, 2021.
In mid-March, Ken’s Foods was highlighted by its attackers working with DarkSide. And a little later, it was the turn of those of the LV group. To these examples should also be added Party Rental Ltd, whose name was displayed successively by Avaddon and Conti at the beginning of the year.Questioned in the spring on this subject, Brett Callow, an Emsisoft analyst, explained that he
considered it probable that it was the same attacker, trying his luck a second time, with another ransomware, after having failed the first time to obtain ransom payment. This implies that the assailant managed to gain access, the persistence of which is probably due to insufficient cleaning work.