How hackers got full control of a network with a broken password – in just days
Hackers nowadays are very clever in terms of penetrating their victims. Just like when how a group of hackers was able to have full control of a network with a broken password.
And get this…
This group was able to do so in just a couple of days. Now, Microsoft is detailing how one hacking group was able to do this scheme in a breeze.
Read: Coronavirus-themed cyberattacks & phishing dropped, says Microsoft
One particular hacking group is the most effective with using cloud-based attacks, says Microsoft
A small security breach has quickly escalated to a bigger problem. Of all the organized crime and nation-state backed hackers that Microsoft tracks, this particular group it calls Holmium is among the most effective in using cloud-based attack vectors.
“Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets,” according to Microsoft’s Threat Protection Intelligence Team.
This group is also known as ATP33, StoneDrill, and Elfin. The group is widely linked to Iran and has been performing espionage and destructive attacks that target aerospace, defense, chemical, mining, and petrochemical companies for a number of years now.
Holmium used many techniques over the years of hacking
According to Microsoft’s researchers, the group uses different ways to gain access to its victims. Their techniques involve spear-phishing emails as well as attempts to use lists of passwords to break into accounts. This technique is known as ‘password spraying’.
But the group’s recent attacks have involved a penetration testing tool called Ruler that is used alongside compromised Exchange credentials. Since 2018, Holmium has been running with such a scheme and it launched another wave of such attacks in the first half of 2019.
How does the scheme work?
Typically, these attacks start with password spraying against exposed Active Directory Federation Services infrastructure. This is when a perpetrator attempts to gain unauthorized access to a large number of accounts by using a list of passwords repeatedly in a short period of time.
Microsoft also noted that businesses that are not employing multi-factor authentication had a higher risk of having accounts compromised.
Using with some Office 365 accounts, the group would then launched the next step with the Ruler, which gives them control over the PC. Next, the hackers would then explore further.
“Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network,” Microsoft added. Hackers who were able to gain access would find more user accounts and PC to hack in the network.
These attacks only took the group less than a week – from the initial access via the cloud to gaining full access. And the worse part? The attackers can stay on long periods of time on the network – sometimes months.
Many organizations who fall victim to these attacks would usually react too late, giving the attackers enough time to gather information and use it at their disposal.
Microsoft said that earlier stages of the attack such as cloud events and password spray “activities were oftentimes missed”.
Regardless of whether an organization implements a traditional or modern approach, novel attack scenarios and techniques will still be introduced, that’s why Microsoft is warning organizations.