In order to disrupt human-operated ransomware attacks and prevent attackers from advancing their objectives through lateral movement, it is crucial to swiftly contain any compromised user accounts.
Taking this step is essential to limit the attackers’ ability to spread their malicious activity and protect the affected systems and data.
Lateral movement success relies on compromising user accounts and elevating permissions, often requiring access to high-level credentials in human-operated ransomware attacks.
Cybersecurity researchers at Microsoft recently identified a large-scale Akira ransomware operation attacking unsecured computers.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Akira Ransomware Attacking Unsecured Computers
Attackers use various methods, like credential dumping and keylogging, to compromise user accounts.
Neglecting credential security can lead to rapid domain admin-level account compromise, allowing attackers to take control of the network.
In some cases, it takes just one hop from the initial access point to compromise domain admin-level accounts.
An industrial engineering org faced a human-operated Akira ransomware attack in June 2023 that is linked to Storm-1567 by security analysts at Microsoft.
Akira ransomware is a closed-ransomware strain with ChaCha encryption, PowerShell, and WMI use, not openly marketed as ransomware as a service by Microsoft.
The attacker exploited non-onboarded devices to evade Microsoft Defender for Endpoint. While Microsoft affirmed that its endpoint solution could have blocked the attack sooner but, it did protect onboarded devices from ransomware.
After gaining network access, the threat actor conducted various suspicious activities, including:-
- Tampering with security products
- RDP lateral movement on Windows Server devices
- Triggering multiple alerts
Microsoft Defender for Endpoint’s protections blocked these attempts. Attackers later tried encrypting devices remotely, but an incriminated user account was contained, protecting Defender-onboarded devices.
In August 2023, Microsoft Defender for Endpoint prevented a major attack early by containing a compromised user account.
The attack began at 4:00 AM with a password reset for the default admin account on an offboarded device, which was quickly detected and contained.
Further actions, such as network scans and RDP sessions, were blocked. The SOC then took additional remediation steps to evict the attackers fully.
To protect against determined attackers, a multi-layered security approach is essential. It should prioritize organization-wide defense and assume potential compromise, containing user accounts with decentralized controls tailored to disrupt various attack stages.
Set of Controls
Here below, we have mentioned all the sets of controls:-
- Sign-in restriction
- Intercepting SMB activity
- Filtering RPC activity
- Disconnecting or terminating active sessions
User containment is a key feature in Microsoft 365 Defender, disrupting attacks with high confidence.
Onboarding devices to Microsoft Defender for Endpoint expands its reach, improving protection and reducing the risk of attacks via unprotected devices.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.