Type of Attack: Ransomware
Company Size: 650 employees
Employees discovered all servers were down and could not access any on-site data. All three of the school’s ESXi hosts (VMWare hosts) were inaccessible. Every server was encrypted and had encryption notes. The threat actor entered the network via a relatively new attack vector. Instead of going through the server to gain domain control, this threat actor utilized the ESXi hosts that were open and accessible through the internet. They encrypted the ESXi hosts, which included anything held on the hosts.
The organization recently reduced its four-person IT team to one person. Since this singular person could not keep up with all IT work, the school’s ESXi hosts were not updated and running a vulnerable version (CVE-2019-0708), most of its servers were vulnerable, backups were not complete, and its replication site was not functioning. The IT administrator was unaware of these issues, allowing for the successful exfiltration of data from the network.
What We Did
Blue Team Alpha expert incident responders acted with great agility and speed and were on-site within 24 hours of the engagement. They began threat hunting immediately, deploying incident response tooling measures throughout the environment.
The school was running an old version of the ESXi host’s operating system, which had been accessible from the internet and had unpatched vulnerabilities. As a part of remediation, responders wiped the ESXi hosts and rebuilt them with the latest version available to minimize any future vulnerabilities, above and beyond what most incident response teams would have done. Additionally, responders reconfigured the school’s firewall to be more secure. They also rebuilt the school’s entire domain to ensure all domain servers could properly function.
While restoring the school, our responders moved it to new platforms, improved perimeter security and created new backup and recovery processes and procedures to address the insufficient backups.
At the end of the recovery phase, our cyber experts ran a vulnerability scan to highlight existing vulnerabilities in the environment. They provided the school with a security roadmap – a complete list of vulnerabilities, noting which were most critical. Typically, vulnerability assessments are not part of the incident response process. Blue Team Alpha includes them so clients know where its weaknesses are to better avoid another attack.
We communicated with the threat actor and ascertained that they exfiltrated data from the network. The organization elected not to pay the ransom because our incident responders recovered enough data to continue business operations.
While this attack only interrupted the company’s internal communications, it could have been significantly worse. It could have resulted in a complete shutdown or leak of critical, sensitive data. This war story is another reminder that companies must maintain basic cyber hygiene, specifically vulnerability management, patching, and ensuring all systems are up to date.
It’s vital to keep any systems updated if exposed to the internet. In this instance, the company’s ESXi host also hosted its Virtual Desktop Infrastructure (VDI), which required internet hosting. The network was vulnerable to attack because the ESXI host was not updated. Cybercriminals typically choose the easiest target, so keeping systems updated is a simple way to protect against attacks.
Having vulnerability assessments performed on a regular basis is important. If this company had done these routinely, it would have been informed about its risk and what gaps in its security it needed to secure. This is a common issue we often witness. Companies are not aware of their security gaps, and don’t find out until they have been attacked.