Peruvian Uni Attack Thwarted

There’s no shortage of ransomware horror stories; every month, it seems, brings with it a new record-breaking demand, stories of essential systems becoming inoperative, sometimes even unfathomable sums being paid out to shady organisations. It’s easy to see why chaos and destruction makes the headlines, but sometimes a story surfaces of cybersecurity professionals overwhelming their adversaries. This is one such story.

The Peruvian University of Applied Sciences (UPC), an affiliate of Laureate International Universities, is one of the highest ranking universities in Peru. With its main campus located in Lima, it provides higher education for over 45,000 students from all over the world. Naturally, such a large institution is a prime target for cybercriminals, which is why UPC sets great store by protecting its assets and students’ data from attacks.

Long story short

On 13 May 2021, the Laureate security team became aware of an ongoing ransomware attack directed against two UPC servers. Though the attacker managed to escape identification, it is clear that they were both financially motivated and unable to achieve their goal. Subsequent analysis revealed that the points of entry were old admin accounts shared between multiple users. The accounts had no multi-factor authentication (MFA) implemented, and such poor IT hygiene was the main source of vulnerability. All traces of infection have been detected, quarantined, and eradicated without any major business interruption. No student services were affected.

How it started…

It turns out the attackers gained entry to the accounts about two weeks prior to detection, but did nothing that would raise the alarm. What allowed the Laureate security team to pinpoint malicious activity was the use of the hacking tool Mimikatz on UPC servers under privileged accounts. Mimikatz is an open source application that attackers use to steal credentials and escalate privileges, but the cybersecurity team was familiar with the software and the systems designed to protect privileged data were honed to its signature. The attackers found their way into the legacy accounts as those weren’t enrolled in MFA, so the initial attack vector could not be identified. IT teams from Laurate and UPC coordinated the immediate response; passwords were reset and the accounts added to MFA security control.

Detect, Contain, Eradicate

The attacker used a new variant of the CryLOCK ransomware, known as a zero-day attack, which propagated undetected until it triggered defenses when it used the hacking tool. The team immediately began containment of the servers affected. Before they could completely contain the threat, three servers were encrypted by CryLOCK ransomware, but in a few days the teams managed to recover all servers without major data loss, and restore all critical UPC services. 

In addition to wreaking present havoc, the unidentified hacker had a plan for the future; they created three privileged accounts for back door access, but the white hats were wise to these tricks. Before the week was out, the presence of the attacker and all the tools they left behind were fully eradicated from the UPC network and all hosts. The team also discovered a ransom note planted on the affected servers, but that will only serve as evidence against the instigator.

After they dealt with the threat, Laureate called in a third-party incident response team to make doubly sure that the threat was well and truly dealt with. The IR team’s additional mitigation and root cause analysis found no evidence of data loss or exfiltration. Carbon Black IR agents were deployed to all servers to support forensic activities and confirm eradication of the attacker. 98 malicious artifacts were discovered and removed. Some back-office servers were suspended while full recovery from backups was in progress, but no student services were affected. As June rolled around, the teams achieved full recovery of all UPC services.

What we learned

The detection and defense solutions that were put in place to detect malicious activity did what they were supposed to. It was the fact that some older, shared accounts weren’t part of MFA protocols that allowed initial access. It is clear that a strict MFA policy and not using shared accounts is our first line of defence against account take-over. Such policies also serve to provide accountability in case of malicious activity.

Once such a threat is dealt with, it is essential to perform a full post-mortem of the incident. Every little gap will be filled in so attackers will have even less success in the future. It is reassuring to know that even when attackers manage to exploit the gaps left over from more careless times, the systems that were since put in place will protect our data.

The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.