Security Market Segment LS
Friday, 22 March 2019 08:56

Norwegian firm attack likely through Microsoft Active Directory: claim Featured

Norwegian firm attack likely through Microsoft Active Directory: claim Pixabay

The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

Kevin Beaumont, who followed the whole episode of infection and also looked carefully at the company's response, said in a detailed blog post that his speculation about the route into the Norsk Hydro system was backed up by an assessment by the NorCERT, the computer emergency response team in Norway.

For this, the attackers needed remote access, and how they gained this was a puzzle that Beaumont said the company could help solve by releasing some of the incident response information later as it would help protect other companies from a similar intrusion.

Beaumont noted that a few weeks before the Hydro calamity, he had pointed out that despite a LockerGoga attack on a French firm,. Altran in January, most endpoint security anti-malware solutions could not detect this strain.

"I actually detonated the ransomware myself on several real world endpoints (in isolated fashion — as you’ll learn later it doesn’t self-replicate too) and I couldn’t find an endpoint security tool which actually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic Ransomware)," he wrote.

Norsk Hydro announced on Wednesday that it had been hit by the Windows ransomware late on Monday evening. The company provided a steady stream of information about what had happened and held regular media briefings about its progress in sorting things out.

On Thursday, the firm said it had called in experts from Microsoft and other security partners to help get business critical systems back to normal.

Beaumnont said once inside the Hydro network, the attackers must have had Domain Admin rights to carry out their plan.

"Usually in companies it is extremely easy to get this access, despite the industry hard selling a range of privileged access management tools, by simply:

  • "fishing logins out of memory using Mimikatz
  • "taking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML files. It’s the go to, bread and butter of ‘Red Teams’.
  • "Pass The Hash attacks and surf around the entire network using the same local administrator passwords because almost nobody deploys Microsoft Local Administrator Password Solution."

Once an attacker had become an Active Directory administrator, it was possible to place the ransomware executable in a place where every system in an organisation could reach. Under normal circumstances, a firm's firewall universally accepts Active Directory traffic internally.

"Bingo, you have the keys to the kingdom  –  the only thing stopping you now is security controls around endpoint malware, and as we already established those won’t detect LockerGoga at the time of the attack," Beaumont said.

Detailing the impact of LockerGoga, he said:

  • "It ends up using every CPU core and thread during encryption and is very, very fast. This is because it spawns hundreds of executables for encryption. Within a few minutes, an average system is toast.
  • "Additionally, some technical blogs mention a list of file types that are encrypted which only includes things like Office files — I can say first-hand that it also encrypts system files such as .DLL files. across the C: drive. Since it is deployed as administrator level using Active Directory, it has full control of all files.
  • "It depends on the version being run (on VirusTotal you can see different LockerGoga executables with different features) but newer versions use netsh.exe to disable all network cards after encryption is done.
  • "It then changes every local administrator account password.
  • "It then logs you off, using logoff.exe."

Beaumont was full of praise for the way Norsk Hydro had managed the incident. "Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena,." he said.

"It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too  –  people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control."

Read 3463 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News