Inhalt
Sometimes you read about cyber attacks and think that something like that couldn’t happen to you – until it does. A case like this recently occurred. The attack clearly demonstrates how social engineering works and how even a rather unskilled attacker could cause significant damage.
How it all began: The spam wave
It all started with an employee being flooded with spam emails. It was simply impossible to work productively. In retrospect, this was probably the attacker’s first move. The flood of emails presumably created the ‘perfect’ scenario to prepare the next step: establishing contact.
The ‘supposed’ rescuer: contact via MS Teams
While the employee was still trying to deal with the chaos in his inbox, someone suddenly contacted him via MS Teams. At first glance, the contact seemed completely legitimate – after all, the person introduced themselves as IT support. The question of whether the problems with the emails were still there hit the stressed employee right where it hurt. The employee followed the instructions of the supposed helper.
‘Please download AnyDesk’
This is where the next step came in: the attacker asked the employee to download the remote management software AnyDesk. At first glance, nothing unusual here, right? But this is precisely where the trap struck. With the best of intentions, the employee granted access and, a short time later, the attacker was in the middle of a remote session.
The remote session: 1.5 hours in sight
The remote session lasted about 1.5 hours. During this time, the attacker carried out several activities:
- The employee was asked to disclose his M365 password, which he unfortunately did.
- A few documents were apparently exfiltrated, as later analysis of the AnyDesk logs showed. Fortunately, these were non-critical documents.
- The attacker executed various commands to collect system information and identify vulnerabilities.
The commands showed an attempt to extract network information, registry details and possibly sensitive configurations.
Collecting network information
Checking registry entries of VPN tunnels
Checking registry entries without displaying error messages
Checking ongoing VPN connections with faulty commands
Installation command of level.io (Remote Monitoring & Management Software)
The attacker’s unprofessionalism
Despite the successful remote session, the attacker showed little professionalism:
- several PowerShell commands failed and some were simply written incorrectly.
- The approach indicated that the attacker was probably using a playbook or script that he was copying and pasting blindly. Adaptation to the specific environment was completely lacking.
The same attack behaviour has previously been attributed to attackers using the BlackBasta Ransomware-as-a-Service. However, it could not be confirmed whether this is an affiliate of the ransomware. More information you can find here and here.
The turning point: the real IT support team gets in touch
After an hour and a half in the remote session, the company’s real IT support team finally called. This was the moment when the employee realized that something was wrong and interrupted the remote session. Fortunately, it was due to the unprofessional approach of the attacker that no serious damage was done. The computer was isolated and all passwords were reset.
Lessons Learned from the incident
Security Awareness training is essential:
The attack could have been prevented if the employees had been better trained. In particular, requests to install software should always be approached with caution
Restrictions for Remote Management tools:
Software like AnyDesk should not be able to be downloaded and installed easily. The attempted execution should be blocked and alerted. Whitelisting for permitted programs and pre-installing required software could prevent similar incidents in the future.
Technical protective measures:
Collaboration in platforms such as Microsoft Teams should be restricted to known and trusted organizations.
PowerShell activities should be monitored and restrictive guidelines for script execution should be implemented. For more information read our full articel about Forensic Readiness.
This incident may have ended lightly, but it clearly shows how important it is to be prepared on both a technical and human level. Social engineering is often the most effective way for attackers to achieve their goals – we must never forget that.