DIVECORP, a global company with offices in Florida, Bali, and Mexico, experienced a severe security incident when an SQL 2014 server running on Windows Server 2012 R2 was compromised. The attackers could access the server using the SA credentials, which were never changed, and the SA account was never disabled. These credentials were harvested from a plain text file on a compromised web server, where a developer had mistakenly left them. As a result, the attackers could use the compromised SQL server to spread throughout the network, eventually leading to a ransomware attack that was delivered during the busiest time of the month.
Incident Scenario:
DIVECORP’s webserver was compromised when a developer mistakenly left the SA credentials in a plain text file. As a result, the attackers could gain access to the web server and harvest the SA credentials, which they then used to access the SQL 2014 server. Once the attackers had access to the SQL server, they could move laterally throughout the network, using various techniques to avoid detection.
The attackers eventually established a C2 instance, which they masked to evade detection by the company’s security tools. As a result, they could move freely throughout the environment, gathering data and identifying high-value targets. When the month-end came, the attackers launched a ransomware attack, encrypting the company’s critical files and demanding payment in exchange for the decryption key.
Root Cause Analysis:
The incident’s root cause was the failure to follow best practices for securing credentials, which allowed the attackers to harvest the SA credentials from the compromised webserver. Additionally, the SA account was not disabled, and the credentials were never changed, providing the attackers an easy entry point into the SQL server.
Another contributing factor was the failure to monitor the environment for unusual activity. As a result, the attackers could move laterally throughout the network and establish a masked C2 instance without being detected. The company’s security tools could not identify the suspicious activity, allowing the attackers to remain undetected for an extended period.
Conclusion:
The incident at DIVECORP highlights the importance of following best practices for securing credentials and monitoring the environment for unusual activity. Companies can reduce the risk of a security incident by ensuring credentials are correctly secured and implementing monitoring tools to detect suspicious behaviour. It’s also essential to have an incident response plan, which includes procedures for identifying and containing a security incident and a plan for recovery in case of a successful attack.
Thanks,
John O’Neill Sr. rMVP