The security shop adds that its antivirus products cleaned a first attempt at running this software, but "the IT department didn't heed the warning" from the Sophos suite, apparently, and additional attempts to run Mimikatz via a compromised account worked.Īt this point, the attackers started acting more like professional cybercriminals and Sophos also noted the IP address locations expanded.
The logs showed that they remotely connected and installed Mimikatz, an open-source tool that can extract account usernames and login credentials from Windows systems. OK, Google, what malware should I use?Īfter five months of Googling malware and poking around on the agency's network, the criminals' behavior changed "dramatically," Sophos noted.
"With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega," Brandt and Gunn wrote. This left some systems vulnerable to meddling by the infiltrators, who switched off endpoint security products on the servers and some desktops and then installed remote-access tools to maintain control of the machines. In one case, they left a protective feature disabled after finishing maintenance work. The network's technicians made some blunders, too, Sophos noted. This included password brute-forcers, crypto-miners, and pirated versions of VPN client software.Īdditionally, Sophos found evidence the gang "used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts." The cybercriminals' web searches showed they used the government computers to find and install several post-intrusion tools and other types of malicious software.
0 kommentar(er)
