Dead System Admin's Credentials Used for Ransomware AttackSophos: 'Ghost' Accounts Present a Potential Security Danger
The operators of the Nefilim ransomware used the credentials of a deceased system administrator to plant their crypto-locking malware in about 100 vulnerable systems during one attack, according to a recent report published by security firm Sophos.
Nefilim, which is also known as Nemty, is a relatively new ransomware variant; its operators target organizations with unpatched or poorly secured Citrix remote access technology. In December 2020, the ransomware was tied to an attack that targeted appliance maker Whirlpool (see: Whirlpool Hit With Ransomware Attack).
The criminal gang's use of the credentials that belonged to a deceased system administrator caught the attention of the Sophos researchers.
In a case study published Tuesday, the researchers say the system administrator had died three months previously, but the account remained active. The researchers note that there are numerous reasons why the account could have been left open, including the possibility that the system admin had helped with the initial setup of the targeted firm's services.
"Closing down the account would have stopped those services working, so keeping the account going was, we'd imagine, a convenient way of letting the dead person's work live on," according to the report.
The Sophos report also notes that these types of "ghost" accounts are an increasing problem for security teams, especially if other parts of the company forget that they remain active after an employee has left or died.
"In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately - except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm," according to Sophos.
Exploiting the Dead
Sophos found that attackers had compromised the admin account, which maintained high-level access, about one month before launching Nefilim ransomware. Once they gained access to the compromised admin account, the gang spent a month quietly stealing credentials for other accounts and also found troves of data, exfiltrating hundreds of gigabytes before deploying the ransomware and locking files.
As with other ransomware attacks associated with Nefilim, the operators targeted vulnerable Citrix resources to gain the initial foothold.
"In this case, the adversary exploited vulnerable Citrix software, gained access to the admin account, then stole the credentials for a domain admin account using Mimikatz," the researchers note. "The malicious activities were often in the middle of the night for the customer's local time. We were able to work out some of the movements in the account based on when they occurred and when the commands were being performed."
The hackers also gained additional access to the organization’s network, creating new users and adding those accounts to the domain admin group in Active Directory.
"No alerts were set off so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups," the report notes.
Nefilim, or Nemty, was first discovered by Fortinet in September 2019.
In addition to targeting vulnerable or unpatched Citrix platforms, researchers note that Nefilim appears to operate an "as-a-service" model, with the operators updating and controlling the ransomware while affiliate gangs carry out other parts of the operations, such as contacting the victim and deploying the malware (see also: Nefilim Ransomware Gang Tied to Citrix Gateway Hacks).
One of the most high-profile attacks to date by Nefilim targeted Australian shipping giant Toll Group, which first acknowledged the attack in May 2020. Six weeks earlier, Toll Group had fallen victim to a Mailto - aka Netwalker - ransomware attack, which had disrupted operations for weeks.
In both cases, Toll Group refused to pay a ransom. In response, Nefilim began leaking stolen company data and noted on its dedicated leaks site that the company had failed to fully shore up defenses following the Mailto hit (see: Toll Group Data Leaked Following Second Ransomware Incident).