Ever wonder how investigators are able to put the pieces together to diagnose and contain a cyberattack? Below is a story from the Check Point Incident Response team as they deconstruct one of their recent cases.
In the middle of April 2018, Check Point’s Managed Security Services (MSS) team and Check Point Incident Response noticed that something was amiss at a particular university in the Asia-Pacific region.
A PC in its trusted network was displaying signs of malicious activity—in this case, a known malicious command and control communication pattern—while connected to medical research equipment. The Check Point teams notified the university, and engaged the Check Point Incident Response team to investigate.
The Dangers Of Lateral Movement
On arrival, Incident Response identified server message block (SMB) scanning activity, and set to work conducting a forensic analysis. The team found three suspicious files and three suspicious drivers. Further reverse engineering analysis by the research team revealed the culprit: a new variant of the sophisticated virulent dropper, Glupteba.
SMB is an application layer network protocol mainly used to share files. In this particular case, once the malware infects the computer, it starts scanning both the internal and external network (e.g. the Internet) for open SMB ports, in order to try to “hop” to other parts of the network and infect the entire organization.
That means an organization only needs one vulnerability, in only one machine, for one infection to hit the entire network. One employee connecting his or her phone to an unsecured WiFi network, or one user giving up credentials to a phishing email scam. Just one momentary lapse and the whole organization is at risk.
WannaCry spread through hundreds of countries and caused billions of dollars of damage by using EternalBlue—the military-grade hacking weapon stolen from the NSA—to exploit a known Microsoft SMB vulnerability. This let WannaCry move laterally across networks, which is a core reason why WannaCry and NotPetya are often considered the turning point between fourth- and fifth-generation cyberattacks.
Once Incident Response saw the lateral movement between the SMB ports and identified the malware, the team zeroed in to learn how a PC, connected only to the medical research network, got infected with this malware.
Finding Patient Zero
The network infrastructure was properly segmented. So, the different networks with discrete security needs had effective barriers to prevent cross-contamination.
But somehow, the malware managed to move laterally from the open, public student network onto the private, sensitive research network.
Among most IT teams, there’s a clear best practice: Consolidate the system’s management across all networks onto a single pane of glass, and you’ll be much more effective against cyber attacks. Fortunately, the university was already practicing this advice. As a result, Incident Response was able to retrieve logs from both the research lab network and the public student network—this was the clue the forensics team needed.
Turning to the public student network, the team quickly saw exactly what was needed: Several students had the same malware on their laptops. A few questions to the faculty later, Incident Response found patient zero.
One particular student, an occasional volunteer at the lab, had accessed the machine the day the suspicious activity began. The logs confirmed that for a few minutes, the student logged onto the medical device and connected it to the open student wireless network.
Those few minutes were all it took for the machine to get infected.
That momentary lapse in cyber hygiene was the only way the malware could get into the sensitive research network. Had the university’s IT team not properly segmented the networks ahead of time, the story could have been much worse. The second the Glubepta malware entered the easy-to-access public network, it would have had a much easier time getting into the research network.
Human error will always be around, but smart security strategy and practice can greatly minimize the risks. In this case, the university did segment the two networks and did consolidate the system’s management, allowing for a quick and effective response.
This case highlighted several important lessons:
- Proper network segmentation is still one of the most critical security controls – if the university hadn’t segmented its research network, the infected machine would have enabled the host malware to spread laterally, quickly attacking the entire organization even without the cross contamination.
- Improperly connecting to an unsecured network can get your machine infected in the blink of an eye. Organizations should monitor devices that connect to multiple wireless networks.
- Patching is vital. It goes without saying that vendors providing PCs for medical research should provide/approve patches in a timely fashion.
- Most medical devices and research tools are mission critical and not designed with security in mind. Since updating them takes down time, look at isolation and micro-segmenting as a security measure.
Fifth-Generation Cyberattacks Are Different
The sophistication of the latest, fifth-generation cyberattacks is marked by lateral-moving hacking tools like what played out in this incident. Addressing these attacks requires a focus on fifth-generation cybersecurity protection that is based on prevention versus detection.
As the Incident Response team is fond of saying, Investing in prevention is much cheaper than having the best tools to detect a breach.