CCNY Tech is an IT hardware sales, maintenance, and recycling company, located in Utica, NY. In the IT business for over 25 years, this company has learned the ins and outs of the tech world and has some of the most knowledgeable engineers. CCNY Tech provides support throughout the lifecycle of the datacenter. They supply, install, maintain, decommission, refurbish, and recycle networking equipment. CCNY Tech is there for any step of the process for businesses like yours.
The Attack
A company was targeted by a ransomware attack. Our team helped to uncover that the version of the ransomware was fairly new, and goes by the name of SamSam. The attack appeared to be a variation of the Locky family of ransomware which is a fairly common attack in use. The attack can only be started/performed from within the network of the targeted company. The attackers managed to lock down all systems (PCs and Servers) at the location, and an affiliated location. All business orientated systems were affected.
Although the attack appeared at the company location, it then spread from there via the VPN tunnels built between each yard and the datacenter back at headquarters. The attackers appeared to have either had direct access to a domain administrator level account, or performed an elevation attack against the Active Directory environment using a lower level user account made into a domain administrator for the duration of the assault.
The attackers used the elevated account on all affected systems due to the flat active directory setup that is currently used by the company. This means that if someone has an elevated account at HQ or a satellite site,k they can affect systems at any other affiliated location connected to their system via VPN tunnel. This allowed the attackers to spread as quickly as they did and with little to no affect on their ability to spread the virus as fast as possible.
Our engineers were unsure if the Cisco Meraki units being used had all Advanced Security Services installed and configured to protect internal systems from this type of assault. The virus is designed to spread on its own within a network segment after the initial user directed payload is delivered into a network. The Meraki systems can be setup to check for activity taking place within a network segment that it has defined to protect against system to system virus jumps.
The Process
Remediation was done on a system by system basis with a full wipe and rebuild of all infected PCs and servers in an offline state at Rubicon. At the other location, we were able to shortcut the process by deploying a clean OS image and deploying it to all machines in the office. This necessitated the purchase of new OS licenses for some systems, and new business software licenses as well (Microsoft Office, etc.) which we were informed needed to be physical keys and not VLA or Subscription based.
Recommendations
Restructure the Active Directory and the Domain Structure for the entirety of Location using a parent child domain set up. Location would become the parent domain, making it the central domain controller for your company. Each location outside of the main facility would be added on as a child domain. The child domain is controlled by the Location parent domain and while it can interact with it, it cannot directly affect it. This is designed to prevent an administrator level account at affiliated location being used against Location or even a sister child domain.
Design and implement a new equipment policy for any IT equipment that is added to the company’s infrastructure. If a new device is going to be added into the domain and it is a server, ensure that it goes through a hardening process by adding all of Location security software and remote management software prior to going live. For PCs and Servers, inventory all licenses to be applied and maintain a centralized spreadsheet containing all existing or newly purchased licenses across the company. This will reduce the attack vector to a known source, and will allow for quicker recovery if a wipe and rebuild is needed for a new piece of equipment.
Updating and tweaking Firewall settings, starting with enabling firewall logging. This gives the admin the ability to go back and check for anomalies in your system that may have crossed your network. From the firewall, depending on the model and manufacturer you can block certain protocols that would allow for remote access of a system and only allow access from a specific outside IP addresses. You may also run web filtering to prevent users from accessing questionable content. Intrusion Prevention protocols and DNS filtering can also aid greatly in preventing outside attackers from gaining a foothold.
Implement a tiered backup solution that will do local backups of each location and will then store a copy of the data off site. This would allow a restoration of each location that goes down back to the most recent update. Have all documents and files be backed up to a file server, which would be regularly backed up itself, while also using redundant drive arrays.
Spam filtering if it has not been implemented or installed before your exchange server. This can be via Barracuda, Fortinet or any other vendor who provides either standalone appliances or Virtual Machines.
Sandboxing software/hardware installed at Location HQ to scrub and check all files being moved through the VPN tunnels between locations or too central. Several Vendors offer variations on this such as Fortinet, Sophos and MetaFlows, all of which will test any files in the network traffic and can be specifically invoked by the end users as well if they have any concerns.
Block USB ports on the majority of systems in the company to prevent people from bringing in and using non approved USB storage devices such as thumb drives, USB HDD drives, etc. This can be implemented either by 3rd party software or Microsoft Active Directory Group Policy.
Jason Germond, IT Sales Specialist
CCNY Tech is an IT sales and services company. For over 25 years, CCNY Tech has been supplying IT equipment as well as providing maintenance and IT recycling services. Partnering with some of the top brands in the industry, they are experts in equipment and custom configurations. CCNY Tech IT professionals provides custom solutions to businesses of all sizes. Learn more at ccnytech.com.