Midas Ransomware Attack Highlights the Risks of Limited Access Controls and “Ghost” Tools
There have been findings from an incident involving Midas ransomware that took place over two months and involved extensive lateral movement through the target’s network to compromise machines and accounts.
The target is a technology company with fewer than 100 staff. At the time of the incident, most employees were working remotely due to the ongoing pandemic. The company has a wide range of remote services and access tools installed. A number of the remote access tools were “ghost” tools: no longer in use but still installed and the attackers were able to leverage some of them, including AnyDesk and TeamViewer, in the attack.
“The traditional security perimeter no longer exists. Today’s IT environment has a dynamic boundary, marked by a cloud-based, virtual IT infrastructure and internet-facing assets. This requires a revolutionary new approach to cybersecurity, one that doesn’t take anything on trust, ever. The investigation into the Midas ransomware incident shows what can happen when an attacker successfully breaches a victim’s perimeter and there are no internal restrictions,” said Chester Wisniewski, the principal research scientist at Sophos.
“The attackers were able to spend nearly two months undetected in the victim’s IT environment, taking advantage of limited access controls and network and application segregation, as well as no-longer-used, “ghost” remote access tools, to move laterally, target and compromise other machines, create new accounts, install backdoors, and exfiltrate data, before releasing the ransomware during a holiday weekend when no-one was watching,” he added.
Alongside the urgent need to remove unused tools and services, a robust defense against such attacks requires an approach to security known as Zero Trust Network Access (ZTNA.)
ZTNA demands verification of every endpoint, server and user before granting access to an application or any part of the networks. As adversaries grow ever more skilled in exploiting remote tools and credentials and turning a target’s security policies against them, a defense-in-depth approach to security based on the concept of: of ‘trust nothing, verify everything’ will become the benchmark for protection.”
To learn more about other “ghost” tools used in attacks, read Nefilim Ransomware Attack Uses Ghost Credentials on Sophos News.