Security insights from ThreatLocker
On May 14, 2021, the Irish Health Service Executive (HSE) was hit by a Ransomware attack.
As of May 20, 2021, much of the HSE infrastructure is still offline.
Ireland’s NCSC (National Cyber Security Centre) has released an interim report, outlining details about the threat, impact, and remediation steps being taken.
Their analysis shows that the variant used was Conti Ransomware v3, and that the attack was predicated and facilitated by the deployment of Cobalt Strike Beacons on internal systems. The presence of these Cobalt Strike Beacons suggests that they were used to move laterally within the environment prior to the execution of the ransomware payload.
Cobalt Strike is a commercially available post-exploitation framework developed for adversary simulations and penetration testing. It has become a preferred tool for both cybercriminals and nation-state adversaries alike.
Cobalt Strike leverages built-in tools in Windows, including PsExec and Powershell to gain a foothold and propagate within the environment. By using these otherwise innocuous but powerful Windows components, Cobalt Strike beacons can evade most antivirus and EDR tools.
This highlights the critical importance of placing controls and limits on what tools like Powershell can do in an environment. If Powershell does not need access to the files on a system, it shouldn't have access to the files on a system. Powershell should be blocked from accessing the internet, except for limited exceptions.
Adopting a deny-by-default or least privilege principle to control and limit the use of Windows components like Powershell would have made this method of gaining a foothold in the HSE environment impossible. ThreatLocker Application Ringfencing™ puts granular controls around applications running in an environment, including limiting interaction with other applications, access to files, registry, and internet locations.
According to the NCSC report, once these footholds were gained within the environment, wmic was leveraged to delete shadow copies. Microsoft has published recommendations that unless explicitly required, wmic (among others) should be blocked from execution. ThreatLocker's Microsoft suggested policies include a template to block wmic.
Batch files were used to create and distribute the ransomware payload and psexec was used to execute the Conti Ransomware executable on the target endpoints.
These batch files and executables would have been blocked from running had an application whitelist been implemented to only allow approved applications to execute in the environment. ThreatLocker blocks the execution of any unapproved batch file or application – including known and unknown malware.
Ransomware attacks such as the attack on the HSE are successful because once an application runs using compromised user credentials, the ransomware has unrestricted access to all data the compromised user has access to.
By implementing default deny principals to data storage locations and only permitting applications that require access to data locations to access them, the damage resulting from the ransomware attack on HSE would have been significantly diminished. ThreatLocker Storage Control allows administrators to restrict and control which applications are allowed to access data storage locations.
Although it has been reported that Windows 7 may still be in use within the HSE, it's unlikely to have been a factor in this attack.
The detail contained in this report clearly illustrates the need for a different approach to be taken to endpoint and data security.
In response to a similar attack on the Colonial Pipeline, as well as recent Exchange Server and the Solarwinds hacks, the US government has recently issued an executive order mandating US government agencies advance towards a Zero Trust architecture.
The Zero Trust approach is governed by a philosophy acknowledging that, “threats exist both inside and outside traditional network boundaries” and that a breach is inevitable or has already occurred. To adapt, organizations must operate within the framework that no user, network, or device can be trusted by default until proven otherwise. When trust is given, granular policy controls should be enforced.
To learn more about how ThreatLocker protects against ransomware, schedule a one-on-one demonstration here.
ThreatLocker’s powerful suite of security tools are designed so that everyone from businesses to government agencies to academic institutions can directly control exactly what applications run on their networks. We envision a future in which all organizations can chart their own course free from the influence of cybercriminals and the damage their incursions cause, and our team of veteran cybersecurity professionals created ThreatLocker to make this vision a reality.