For most people, Friday is the start of their weekend. At Gillware Digital Forensics, it’s actually the start of our work week. Why? Because it’s the start of the work week for the people who are attempting to intrude on and attack your systems.
At Gillware, nearly every data breach investigation and response case has the first malicious action conducted on a Friday evening after everyone has started their weekend. If you’ve been unlucky enough to have to deal with a system that fell victim to a ransomware attack, you probably discovered the encrypted data first thing Monday morning.
Talk about a case of the Mondays.
In most data breaches and intrusion events, you can find indicators of compromise before any malicious actions, such as data theft, malware deployment, internal password phishing attempts, etc., have even taken place—if you just know where to look.
If you use Office365, as many offices do, and have admin audit logging enabled, you can check the logs for any sign of account compromise. It’s a near-certainty that hacker will test the login credentials they’ve gleaned days or even weeks in advance before they take any real malicious actions if one of your users has fallen victim to a password phishing scam.
If you view the logs before the malicious action took place and find suspicious activities such as:
Then you’ve discovered evidence of a breach-in-progress.
If you see any of these kinds of malicious access, contact Gillware Digital Forensics ASAP. We can help you eliminate the breach and determine if the hackers have done any further malicious actions.
Many malicious acts are conducted through the millions of computers that have RDP ports that are accessible from outside the network without VPN or other security measures. Many RDP usernames and passwords are for sale on the dark web. If your users remotely access their workstations through any port via RDP, even if it’s not the default port, your systems are likely at risk. Fortunately, you can view Windows Security Event logs to determine if any accounts have been compromised. If you use RDP without a domain controller, you will need to view the security logs on each workstation.
Open Windows Event Viewer
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID=4624 or EventID=4625)] and EventData[Data[@Name='LogonType']='10'] ] </Select> </Query> </QueryList>
Now you should be able to see RDP failed and successful logins like the one below (assuming that you use RDP):
In the image above depicting the successful login, the most important piece of information is the Source Network Address. The Source Network Address is the IP address that the login comes from. If you don’t allow RDP access from outside your local network, then these will all be local IP addresses. However, if you used RDP from outside the network without requiring VPN, these logins will be global IP addresses.
In most of our breach investigations, the victim identifies suspicious activity after the fact. For example, after we tell the IT staff that a specific user was “Patient Zero” of the breach, they go back into their ticketing system and find that before the breach occurred the user reported abnormal operation of their computer, such as:
It’s hard to stay on top of all the issues reported to your IT staff every day. However, some of these reported issues can be indicators of compromise and need to be addressed posthaste to prevent further damage.
Most of the data loss incurred due to ransomware can be avoided by having an offsite cloud backup that is not easily accessible from any of the computers/servers on your network that could fall victim to ransomware. Too often we see an organization’s backups stored on a NAS device attached to the compromised computer or server in question. If you’ve stored your backups on a NAS that is currently mapped to a computer or server, and that computer or server get ransomed, your backups will get deleted or encrypted as well.
Ransomware has always evolved to make infections more difficult to recover from without paying the hackers. Modern ransomware even runs software that will clear the free space on the devices it infects, which makes recovery of the deleted backups impossible in these situations.
Even the most vigilant people can’t catch 100% of the threats that come their way. You should always do the best you can to protect yourself, but for anything that sneaks through, you can always count on us here at Gillware Digital Forensics to help you make things right again.