OXFORD, U.K.  — 1月 26, 2021 —

Sophos, a global leader in next-generation cybersecurity, today published its latest findings into real world attacks investigated by its Rapid Response team. The article, “Nefilim Ransomware Attack Uses ‘Ghost’ Credentials,” details how a failure to keep close tabs on “ghost” account credentials facilitated two recent cyberattacks, one of which involved Nefilim ransomware.

Nefilim, also known as Nemty ransomware, combines data theft with encryption. The target hit by Nefilim had more than 100 systems impacted. Sophos responders traced the initial intrusion to an admin account with high level access that attackers had compromised more than four weeks before they released the ransomware. During this time, the attackers were able to quietly move through the network, steal credentials for a domain admin account, and find and exfiltrate hundreds of GB of data, before unleashing the ransomware that revealed their presence.

The hacked admin account that enabled this belonged to an employee who had sadly passed away around three months previously. The company had kept the account active because it was used for a number of services.

In the second, unrelated attack, Sophos responders found that intruders had created a new user account and added it to the target’s domain admin group in Active Directory. With this new new domain admin account, the attackers were able to delete approximately 150 virtual servers and encrypt the server backups using Microsoft Bitlocker – all without setting off alerts.

“If it wasn’t for the ransomware that flagged the presence of intruders, how long might the attackers have had domain admin access to the network without the company knowing?” said Peter Mackenzie, manager, Sophos Rapid Response. “Staying on top of account credentials is basic, but critical cybersecurity hygiene. We see far too many incidents where accounts have been set up, often with considerable access rights, that are then forgotten about, sometimes for years. Such ‘ghost’ accounts are a prime target for attackers.

“If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory.

“The danger is not just keeping outdated and unmonitored accounts active; it is also giving employees greater access rights than they need. Fewer accounts need to be a domain admin than most people think. No account with privileges should be used by default for work that doesn't require that level of access. Users should elevate to using the required accounts when needed and only for that task. Further, alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows.” 

Nefilim ransomware was first reported on in March 2020. Like other ransomware families such as Dharma, Nefilim mainly targets vulnerable Remote Desktop Protocol (RPD) systems as well as exposed Citrix software. It is one of a growing number of ransomware families, alongside DoppelPaymer and others that engages in so-called “secondary extortion,” with attacks that combine encryption with data theft and the threat of public exposure.

Further information on the incidents, including Indicators of Compromise (IoCs) and tactics, techniques and procedures (TTPs) for the Nefilim attack, can be found in “Nefilim Ransomware Attack Uses ‘Ghost’ Credentials.

Nefilim-Ransomware

ソフォスについて

ソフォスは、MDR (Managed Detection and Response) サービス、インシデント対応サービス、およびエンドポイント、ネットワーク、メール、クラウド セキュリティ テクノロジーの幅広いポートフォリオなど、サイバー攻撃を阻止する高度なセキュリティソリューションを提供する世界的なリーダーであり、革新的な企業です。ソフォスは、最大手のサイバーセキュリティ専門プロバイダーの 1つであり、全世界で 60万以上の組織と 1億人以上のユーザーを、アクティブな攻撃者、ランサムウェア、フィッシング、マルウェアなどから保護しています。ソフォスのサービスと製品は、Sophos Central 管理コンソールを介して接続され、企業のクロスドメイン脅威インテリジェンスユニットである Sophos X-Ops を利用しています。Sophos X-Ops のインテリジェンスは、Sophos ACE (Adaptive Cybersecurity Ecosystem) 全体を最適化します。このエコシステムには、お客様、パートナー、開発者、その他のサイバーセキュリティおよび情報技術ベンダーが利用できる豊富なオープン API セットを活用する一元化されたデータレイクが含まれます。ソフォスは、フルマネージド型のソリューションを必要とする組織に、Cyber​​security-as-a-Service を提供します。お客様は、ソフォスのセキュリティ運用プラットフォームを使用してサイバーセキュリティを直接管理することも、脅威ハンティングや修復などソフォスのサービスを使用して社内チームを補完するハイブリッドアプローチを採用することもできます。ソフォスは、リセラーパートナー、MSP (マネージド サービス プロバイダ) を通じて販売しています。ソフォス本社は英国オックスフォードにあります。詳細については www.sophos.com をご覧ください。