RATs Don’t Always Flee Sinking Ships

Graphic depicts a group of rats on a pirate ship

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”

~ Sun Tzu

Rats don’t always flee sinking ships. In fact, our incident response investigations here at Tetra Defense often reveal that RATs can actually cause the sinking ship. We’re not talking about Remote Access Trojans (malware designed to introduce a back door into a network); the rats we’re referring to here are legitimate Remote Access Tools designed to allow vendor and employee access.

Tetra sees it all the time. An organization hires a vendor or Managed Service Provider (MSP) to install a new software, to maintain IP enabled equipment within their network, to work remotely, etc. The vendor installs a Remote Access Tool (RAT) to allow for convenient access to the system for maintenance. The customer organization is assured of the vendor’s secure access, oftentimes with written agreements in place. All is well, until it isn’t.

Don’t Become Complacent

Time passes. The new software or equipment becomes integrated into the operations of the company, and its use becomes second nature. The RATs remain on the network, often totally unpatched and rarely, if ever, updated. A new vendor arrives to do a completely different job and installs another RAT, and the pattern repeats itself. At Tetra, we’ve seen cases where 6 or 7 different remote access systems are left behind on a victim’s network by different vendors and MSPs.

More time passes. Along comes a threat actor who compromises the vendor’s O365 account, or exploits the old, unpatched version of the RAT. Suddenly, the neglected tool is used to access your network.

Any RAT Could Be a Problem

The specific type of Remote Access Tool doesn’t matter; any variety can be exploited if unattended. If it’s unknowingly left behind or has unpatched vulnerabilities, it’s there to be used to gain unauthorized access to your network. We’ve seen the misuse of:

  • GoToMyPC
  • Kaysaya
  • ScreenConnect
  • ConnectWise
  • LogMeIn
  • PCAnywhere
  • TeamViewer
  • RemotePC
  • Alterra
  • Webroot SecureAnywhere

Tale from the Trenches

A Director of Digital Forensics & Incident Response here at Tetra describes one problematic RAT case that we investigated in late 2019. We played an epic game of cat and mouse with a threat actor who was not only in the network, but who also had control of the victim’s email account.

Late last year, Tetra investigated a Sodinokibi ransomware incident that had encrypted many of a company’s core business systems. During the information gathering phase, and based upon experience from previous cases, Tetra directed its investigation toward a cloud-based IT management solution called “ConnectWise / ScreenConnect.” This tool was used to manage workstations and server devices, and several audit logs later helped to identify an access anomaly from an unfamiliar, non-US based network. The foreign IP address in question was associated with a user’s ScreenConnect admin account. It didn’t align with any previous legitimate connections from that account, nor any other account registered within the console.

Not Just a Ransomware Attack

Analysis of various logs made it immediately clear that an external party was in control based on the actions performed within the console. Malicious activities, such as staging a PowerShell script during non-business hours and scheduling a deployment task to all of the systems registered within the tenant, were not things the legitimate account owner would have done. When executed, the script pulled down malicious code hosted on Pastebin, which then started both the encryption process and deleted volume shadow copies on the device, preventing data recovery.

Establishing Persistence and Creating Admin User Accounts

While the malicious encryption task was in process, the threat actor initiated a live session with one of the unattended workstations. They downloaded ProcDump, which was used for credential harvesting. Several hours after many of the systems were maliciously encrypted, the threat actor created an additional admin account within ScreenConnect. This new admin account allowed the attacker to remain present within the console, and ultimately avoid detection by the legitimate account owner.

As Tetra’s investigation turned its focus to the compromised user account, we collected evidence from the user’s primary workstation along with the client’s o365 logs. These logs again identified the threat actor’s foreign IP address linked to the user’s email account just hours before the attack. Additionally, the evidence indicated that the threat actor intentionally deleted an email from ScreenConnect for the login authorization code. As a security feature, ScreenConnect had been configured to send login authorization codes via email when a user would log in from an unfamiliar system or location. Unfortunately, because the threat actor had access to the user’s email account, this multi-factor authentication feature was easily circumvented.

Password Reuse is Still Problematic

At this time, it is unknown how the credentials for the account were first compromised. After the discovery of the unauthorized email account access, Tetra confirmed that the client’s password for the account was being shared across multiple accounts; both personal and business-related. It is plausible the user was the victim of a successful phishing attack, or the password may have been harvested in an unrelated website breach, or obtained from a credential dump repository. Several poor security practices contributed to the overall success of this attack, but fortunately, the client’s backups were not impacted, which resulted in a speedy recovery.

How to Avoid the RAT Race

The moral of the story here is to pay extra attention to any software used by a vendor to perform maintenance on systems in your network, or those used by your organization. Don’t trust that the vendor will remove that software after the work is complete, and regularly review your network to ensure that forgotten or out of date Remote Access Tools aren’t lurking in your environment. Doing so will help to keep your organization less assailable. Keep an eye on those RATs!

Check out some related content on our blog: