On March 22, 2018, the City of Atlanta, Georgia publicly acknowledged that they had been the target of a ransomware attack that took down a large majority of the city’s infrastructure. This included online payments for water bills, traffic tickets, and city issue reporting. In an effort to prevent the ransomware from spreading, the city shut down the court system database as well as publicly available wifi. It would take Atlanta almost a week and an estimated $9.5 million to recover. This event was a monumental example of how a lack of sophisticated security controls can result in an extreme loss of data and network downtime.
Although the City of Atlanta never publicly released a post mortem, based on analysis of similar campaigns involving the ransomware strain used in this attack — SamSam, we have developed a likely scenario of how the attack may have occurred and how Senteon could have helped prevent it.
Overview of SamSam Ransomware Attacks
SamSam attacks begin through focused assaults on external servers and exposed devices running misconfigured or unpatched versions of RDP, IIS, FTP and other network-based services. After gaining access to perimeter systems, threat actors make their way through the internal network exploiting common Windows vulnerabilities and misconfigurations using a mix of legitimate administration tools and offensive programs such as Mimikatz. SamSam maintains persistence on every system it touches, but does not deliver the actual ransomware payload until it has spread across the entire network. This strategy combined with the fact that many techniques are executed in memory only and some variants have automated cleanup capabilities allow it the ability to slip by antivirus solutions undetected until it is too late.
Attack Path
Below is a reduced diagram detailing a basic idea of what the Atlanta network may have looked like. Key things to note are the web server in the network demilitarized zone (DMZ) and the RDP service directly routed to the internet for easy remote administration. Following intelligence reports of SamSam attacks, this is a likely scenario in which the threat actors may have gained access to the Atlanta network.
In this reduced example, we show how attackers may have bypassed traditional defenses. As a city, Atlanta needed to have a web presence. Fully securing complex systems like a city-wide web service (e.g. IIS) is difficult, and it is more than likely that there would be at least one vulnerability or misconfiguration over time that slips through the cracks. Having RDP services open to the internet was a clear vulnerability, but proper password protections may have deterred attackers and prevented access to those systems.The most critical point however, is that once attackers were in, they could swiftly move laterally across the entire network by leveraging weaknesses in native Windows internal credential processes and network authentication protocols.
Where Senteon Makes a Difference
So how would this have gone differently if Senteon was installed? While we cannot make a reasonable assumption that we would have been able to entirely prevent a brute force attack on an RDP instance through strong password policy alone, Senteon’s recommended password policies would have at least raised the time required to do so from a day or a week to years. Additionally, Senteon controls could have prevented the attackers from stealing credentials and pivoting to the internal systems.
Following the example, Senteon controls would have protected from:
Attack: Credential Stealing from Forcing WDigest Authentication
Preventive Control (GPO): Computer Configuration\Administrative Templates\MS Security Guide\WDigest Authentication
Attack: Credential Stealing from CredSSP Provider (Non-Secure RDP Session)
Preventive Control (GPO): Computer Configuration\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation
Attack: Remote Code Execution Through Unauthenticated RPC Calls
Preventive Control (GPO): Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrict Unauthenticated RPC clients
Attack: NTLM Downgrade Attacks
Preventive Control (GPO): Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
If these controls were in place, Atlanta may have been able to reduce the scope of the attack and had clear early warning signs as to the events occurring on their network. Below is a representation of what would have happened if Senteon was in place to harden configurations.
References
https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html
https://www.darkreading.com/operations/inside-a-samsam-ransomware-attack/a/d-id/1332076
https://www.secureworks.com/research/samsam-ransomware-campaigns
