There is a popular belief in the cybersecurity community that a hacker only has to compromise a single computer in an enterprise to successfully initiate a hack, while the network or administrator must protect every single device in order to successfully do their job. This notion was exemplified two months ago when a school system in Georgia, USA was forced to combat a large-scale virus attack for 6 weeks. The anatomy of how the malware attack infiltrated the school system serves as a classic example of how cybercriminals can attack the smallest of vulnerabilities inside your network and see the effects quickly spread throughout.
Delaying the Inevitable
The school system practiced multilayer security that included an enterprise firewall appliance, web filtering solution, Office 365 spam filtering supplemented by ATP as well as endpoint protection. For the most part, their enterprise was solidly protected, that is, except for a small handful of computers in the transportation department. While the school system’s IT department had been migrating all desktops to Windows 10 and upgrading all servers with an OS earlier than Server 2012 to a current server release, the transportation department continually delayed these efforts within their department. Department employees shared a plethora of files on a local Windows 2003 server and some employees still worked from XP machines. The department heads always insisted that it was a bad time to upgrade whenever the issue came up.
Unfortunately, it became a bad time for everyone when the Emotet virus infected the school's network using the EternalBlue exploit. Earlier this year Emotet cost a North Carolina School District $314,000. Emotet attacks are often targeted at educational organizations. EternalBlue takes advantage of a well-known vulnerability that exploits Microsoft Server Message Block 1.0. SMB is a network file sharing protocol that allows applications on a computer to read and write to files and request services. The SMBv1 protocol comes built-in with all Windows versions for backward compatibility. Emotet dates back to 2014 and was originally released as a banking Trojan. Since then it has evolved into a load for other types of malware and Trojans as well.
The vulnerability was publicly discovered early in 2017 and Microsoft issued the MS17-010 patch in March of 2017 to eliminate the vulnerability for current platforms. They later released patches for Windows XP, Windows 8 and Server 2003 even though those machines are no longer supported. Unfortunately, this was an out-of-band update that required IT personnel to manually download the patch and install it. For one reason or another, the released patch was never installed on these outdated machines.
The Anatomy of a Virus Infection
Although an investigation has yet to discover how the virus was first launched, it is believed that someone in the transportation department clicked on something in an email. The user was using an XP machine which had several drives mapped to the local Windows 2003 Server. Once the virus established a beachhead within the department, it began to laterally infect other machines. It further infected the victimized machines with cryptoming malware which seemed to be the primary mission of the attack.
Cryptomining processes consume CPU resources, making the machines virtually useless. Many of the infected machines perpetually bluescreened and rebooted throughout the day due to resource consumption. The school’s network itself also slowed to a crawl due to the malicious traffic streams travelling across the SMB lateral highway throughout the enterprise.
Because the rest of the school system had properly upgraded its machines to supported operating systems, the virus needed another way to spread itself. A keylogger was deposited on the infected machines and was soon able to capture the credentials of an IT support technician that had domain admin rights. With the newly captured credentials, Emotet then began disabling the updating feature of Windows Defender on desktops and key servers including domain controllers.
After a week passed, the virus was able to install newly released Trojans on these machines by creating scheduled tasks under the administrator account. An Emotet spam module then began sending malicious spam messages to users throughout the district utilizing several takes on an invoice that needed attention. Several users fell for the scheme, infecting their machines. Other devices obtained the virus from shares that resided on infected servers. Emotet then deployed the Trickbot banking Trojan that quickly targeted systems that performed financial transactions. Fortunately, the financial software detected the virus and refused a connection to the external banking site.
How the IT Department Contained the Virus
Not knowing the status of the endpoint protection for its machines, the IT department first went about disabling SMBv1 on all machines which began speeding up the network. A Windows Group Policy was created to deny the creation of scheduled tasks throughout the network. They then manually downloaded the most current updates for Windows Defender and installed them on all machines that were behind in updates. They then ran Autoruns for Windows and deleted all processes and files that ran through the Trojan application.
All in all, it took 6 full weeks for the overly stretched IT department to get a handle on the virus, contain it and eliminate it. Since then, the IT department has created new IT policies concerning the mandatory upgrades and patching for all computer systems. They have also retired the practice of internal file sharing, requiring all personnel to share files in the cloud.
The fact is all of this could have been avoided had it not been for neglecting two key principles of cybersecurity hygiene:
- Upgrade all unsupported operating systems and devices
- Always ensure that all devices are properly updated
Unfortunately, hackers can easily find out if you're an Office 365 organization. They can do so because you broadcast it to the world on your public DNS MX records. Knowing that you are an Office 365 subscriber can influence how they go about launching an attack on your network. This gives a huge advantage from the outset.
Many organizations are utilizing a multi-layer security approach for their email as they find the solutions offered by dedicated email security vendors to be more effective, flexible and less expensive than Microsoft’s Advanced Threat Protection which requires additional licensing and costs.