Sophos Research: ‘Ghost’ Credentials Used in Nefilim Ransomware Attack
Sophos researchers have discovered a Nefilim ransomware attack in which an unmonitored account belonging to a deceased employee was used to infiltrate more than 100 systems.
During the cyberattack, a Nefilim threat actor exploited vulnerable Citrix software, Sophos indicated. The actor gained access to the Citrix admin account and stole the credentials for a domain admin account using the Mimikatz open-source application.
Also, the Nefilim threat actor gained access to the victim’s network, created a new user and added the account to the domain admin group in Active Directory (AD), Sophos noted. The new domain admin account then deleted about 150 virtual servers and used Microsoft BitLocker to encrypt server backups.
Nefilim was discovered last year and often involves the use of a “call double extortion” technique in which a threat actor threatens to publicly release victims’ data if they do not pay the ransom. To date, Nefilim has been used in attacks against Orange Business Services, Toll Group and other global organizations.
How to Guard Against Nefilim Cyberattacks That Involve Ghost Credentials
No alarms were set off in the aforementioned Nefilim cyberattack, according to Sophos. But, with secure account access management, an organization is well-equipped to guard against Nefilim attacks that involve ghost credentials.
There are several things that organizations can do to improve their account access management, including:
- Grant access permissions only for specific tasks or roles
- Deactivate accounts if they are no longer needed
- Conduct regular AD audits
- Leverage anti-ransomware technology
Ultimately, a privileged account should only be used for work that requires it, Sophos pointed out. If new users are required to have privileged access to certain accounts, they should be elevated to leverage these accounts when needed and only for specific tasks.