The initial point of access was a server running Windows Server 2008 R2 Service Pack 1. That machine was the source of several failed login attempts to a number of other servers, and 15 minutes, attackers had logged in to a 2nd machine, and four minutes later, a 3rd server. 5/23

Control of the third server gave the attackers admin privileges. They abused a remote management utility called RemoteExec (named CI.exe) and, 18 minutes in to the attack, copied it to six other machines. 6/23

The next minute, the attackers had copied batch scripts to three of the six compromised servers, and those scripts were running, performing a variety of tasks at high speed. They also installed a backdoor service onto one of the other compromised machines. 7/23

By minute 26 of the attack, the intruders had downloaded and installed a second commercial remote access utility, called ScreenConnect, and set up temporary access to a specific, external IP address. 8/23

Methodically over the following hour, attackers moved from compromised server to compromised server, downloading and executing a set of batch scripts. Some of the machines downloaded a payload from an IP address belonging to notorious ISP Green Floid. money.cnn.com/2017/10/25/med… 9/23

And then…nothing happened for three days. The attackers made no attempt to reconnect to the network until almost 72 hours after the initial break-in. But then the gloves came off…and those servers started reporting detections of malware. 10/23

Behavioral detections based on the malicious use of PowerShell; Multiple attempts to deploy Cobalt Strike beacons; Placement of malware executables on network shares. The @Sophos endpoint was blocking all of that. 11/23

All day, the attackers tried and tried and tried again to deploy malware across a wide range of machines, and failed. For more than 15 hours, they repeatedly tried to push malicious executables onto devices or filelessly load them into memory.

They failed. 12/23

After taking a three hour break – all that attempted crime had to be hard work – the attackers then resumed, and continued failing to infect machines, blocked by behavioral and memory detection of the payloads, most of which were Cobalt Strike. 13/23

Finally the attackers’ gloves came off. They used PowerShell to try to disable Windows Defender. They also leveraged those administrator tools they had used earlier in the attack to bundle up internal documents and send them to Mega, a cloud storage provider. 14/23

It took almost a full day for them to download the installers for Chrome and WinRAR, to bundle up the sensitive data into archive files, and then upload them to Mega. At the end, they cleaned up after themselves, deleting host logs and records. 15/23

The attackers took a break for three more days, then came back. We detected them deploying a list of text files on an internal server in preparation for the final phase of the attack, the deployment of ransomware. 16/23

We also detected (and blocked) more attempts to deploy both Cobalt Strike beacons, Metasploit Meterpreters, and BazarBackdoor malware onto various systems they controlled. Once again, they were prevented from doing so. 17/23

Finally, at about 1:34am in the target’s time zone, the attackers started trying to deploy ransomware executables. They were prevented from encrypting dozens of servers and workstations, repeatedly, over the next eight hours. Emotet and BazarBackdoor were also blocked. 18/23

Logs showed that, while the attackers were trying to deploy the ransomware, they used some of their other tools to log in to machines and see what was going on. They probably weren’t happy with what they found. 19/23

The following day, they tried using every tool they could think of to try to disable Sophos. They used PsKill and PsExec and GMER. They tried using the Windows version of a tool called FixGo. They tried to use RemCom, “the open source psexec”
github.com/kavika13/RemCom 20/23