A recent ransomware attack highlight the dangers of extraneous accounts sitting on your network – particularly those belonging to former employees.
Standard cyber hygiene calls for the purging of employees’ credentials accounts from a corporate network once they quit or are fired from their position. And on those occasions in which an employee dies, that same practice should apply. But according to a blog post this week from Sophos, attackers from the Nefilim ransomware gang recently infiltrated an unnamed company in part by compromising the admin account of a deceased employee who had passed away three months earlier.
According to Sophos, the Nefilim attackers exploited a vulnerability in Citrix software in order to hijack the deceased individual’s admin account. They then used the Mimikatz post-exploitation tool to swipe the credentials of an even higher-privileged domain admin account. Leveraging these privileges, the attackers then exfiltrated hundreds of GB worth of data, and then as a final flourish unleashed the ransomware, impacting more than 100 systems.
The Nefilim gang involved in this case is generally known for engaging in targeted, double-extortion attacks (i.e. encryption and data leaking), using a ransomware program that was derived from a previous malware they had used called Nemty. The Sophos Rapid Response Team was called in to investigate the attack.
The unfortunate incident presents some important lessons for companies, including IT/security teams and human resources department. For starters, credentialed accounts should not sit idle or unmonitored on a network, with no responsible account holder who can take remedial action if there is a suspicious log-in or other signs of cybercriminal activity.
In the example described by Sophos, the account wasn't entirely abandoned, as the company was still using it for certain unspecified services. However, experts say there were less risky options available.
“There is no reason to keep these accounts active," said Jeff Barker, vice president of product marketing at Illusive. "This is one example of the impact of poor credential hygiene. Attackers exploit unnecessary credential information like this to move laterally within an environment and achieve their objectives."
"It seems an odd idea and situation to keep a highly privileged personal account of a former colleague running because it is used for essential services in a company, but the reality is that this happens all the time," said Dirk Schrader, global vice president at New Net Technologies (NNT). "It's the usual drift between ‘getting things done’ due to pressure from the business and ‘work along the processes’ of the business where employees start using their own accounts. The excuse is always ‘we will change it later’."
In its blog post, Sophos suggests a compromise: “If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory."
Furthermore, multiple security products exist that allow an organization to use shared accounts for services without disclosing credentials, added Marcus Hartwig, manager, security analytics at Vectra.
Another important takeaway from this incident is to avoid unnecessary domain admin accounts that, if compromised, could give attackers keys to your kingdom.
“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. This isn’t true and it’s dangerous,” said Peter Mackenzie, manager for Rapid Response at Sophos, as quoted in the blog post. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”
Sophos also recommends that companies set their Active Directory audit policies to "monitor for admin account activity or if an account is added to the domain admin group.”
Barker said that Illusive security experts once assessed the attack surface of a law firm and found more than 1,500 domain admin in a network of 4,000 machine. "Let that sink in – what this means is that more than one out of every three machines had the most powerful user credentials accessible to any attacker," he said, noting that unnecessary and cached administrator credentials provides fuel for the attacker to move laterally within the environment.
While human resources needs to be the leading department in verifying any use of accounts after an employee has left, Schrader said that better coordination between HR and a company's IT/security and management teams would go a long way toward improving cyber hygiene practices.
"As these disconnects described are happening far too often, the best way to overcome them is to sit together and visualize the dependencies embedded in business processes from the various perspectives of senior management, IT/sec, HR, and the business unit managers. That leads to solid establishment of cyber resilience," said Schrader.
"There should absolutely be coordination between HR and information security teams," stated Derek Manky, chief of security insights and global threat alliances at Fortinet's FortiGuard Labs. "Information security and HR teams should work collaboratively to adopt proactive processes that include reviewing and enforcing access requests on new hires and [the] revocation process on exit; enforcing [the] changing of passwords for active employees with regular cadence in addition to multi-factor authentication; [and] regular education, including phishing awareness for employees."
Hartwig sees some progress in that regard, acknowledging a big disconnect between the IT department and HR department historically, but pointing to progress among many organizations that are "breaking down that wall and looking at the HR system to provide the source of truth for both employees and contractors regarding access to services and individual permissions."
"Ultimately, if a person is not in the HR system, they should not have an account," he added.
Sophos was not able to share specifics on the timeline of the attack in order to preserve the privacy of the affected company.