Researchers research how ‘ghost’ accounts can become targets for threat actors.
Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's disadvantage: ghost accounts.
Many times, when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are not removed from corporate networks.
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, by actively exploited it to spread ransomware.
In case research documented by Sophos' cyber forensics group Rapid Response, an organization reached out after being infested by Nemty ransomware.
According to Sophos, the ransomware -- also known as Nefilim -- impacted over 100 systems, encrypting important files and demanding ransom in return for a decryption key.
Initially detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) type of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code's future development for chosen partners.
During an investigation into the source of the infection, Sophos discovered, the original network intrusion was narrowed down to a high-level administrator account. Over the course of a month, the threat entities quietly discovered the company's resources, obtained domain admin account authorizations, and exfiltrating hundreds of gigabytes' worth of data.
Once the cyber attackers had finished their exploration and taken everything of value, Nemty was deployed.
"Ransomware is the last freight in a longer attack," stated Peter Mackenzie, Rapid Response manager. "It is the message from attacker telling you they already have captured your network and have completed the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what matters."
The cybersecurity team asked the victim company, who the high privilege administration account belonged to. The account belonged to an ex-member of staff who passed away about three months before the cyber intrusion.
Instead of withdrawing access and closing down the 'ghost' account, the firm kept it active and open stating "because there were services that it was used for."
Sophos suggests that any ghost account, once the user doesn’t require it, should be disabled through interactive logins, or if the account is really required, a service account should be created in its place.
Apart from this, the team says that zero-trust measures should be practices companywide to reduce potential attack occurrences.
In another case noted by Sophos, a new user account was stealthily created on a corporate network and added to a domain admin group in Active Directory, which was used to delete approximately 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, adding on the pressure for payment.