How the Nefilim Group Exploited “Ghost” Credentials to Compromise 100 Systems

• The ‘Nefilim’ ransomware group spent a full month in a target’s network before it decided to lock down 100 systems.
• The hackers used the admin account of an employee who had passed away three months before.
• The firm wasn’t only following improper account management practices but was also using an outdated software tool.

An interesting story coming from the Sophos Rapid Response team underlines that one cannot be too careful when it comes to user credentials. The ransomware group going by the name “Nefilim” has managed to compromise an admin account with high-level access in the victimized firm, which belonged to a deceased employee. It is possible that the hackers singled out the particular account after they read the relevant posts from colleagues on social media.

The actors used the account silently for almost a month, looking around the corporate network and trying to locate the most precious data they could find there. In this process, they installed backdoors and stole even more account credentials.

Eventually, on day 24, hundreds of GBs of data was exfiltrated. Still, this didn’t raise any alarms for the victim, who wasn’t using any endpoint protection solutions. Also, the hackers moved around the network in the middle of the night, significantly minimizing the risk of getting noticed.

When Nefilim activated the ransomware payload on day 31, the infection became clear, as 100 systems had all their files encrypted. Upon the subsequent investigation that followed by the Sophos Rapid Response team, it was determined that the attackers gained access to the admin account by exploiting a vulnerable Citrix software product and then stole the credentials for a domain admin account using the Mimikatz tool.

Although the employee to whom the first account belonged had passed away more than three months before the attack, the company kept the account around because it was linked with certain key services. This was a very clumsy approach, and combined with the outdated Citrix Storefront tool, the ground for a catastrophic attack was laid. The firm should have implemented a service account and deny interactive logins while disabling the former employee’s account as soon as possible.

As Sophos explains, Citrix Storefront 7.15 CU3, which was the version used at the time of the attack, was vulnerable to one critical and four important flaws, namely CVE-2019-11634, CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283. It is unclear which of these were exploited by the Nefilim actors, but it’s clear that the hackers even had a choice. Using a patched tool may not have stopped the attackers as they had already established presence in the network, but it would at least make it harder for them.