Brazil’s Superior Court of Justice (STJ) President Humberto Martins announced that “the court’s information technology network suffered a hacker attack on Tuesday (3), during the afternoon, when the six group classes’ judgment sessions took place. The Secretariat for Information and Communication Technology (STI) is working to recover the systems of services offered by the Court.” Security Experts offer perspective.
While this attack hasn\’t done anything extraordinary, it\’s a perfect example of how compromising a Domain Admin gives attackers the keys to the kingdom. Although we don\’t know what defensive measures were previously deployed by the Superior Court of Justice\’s IT department, it seems RansomExx was easily able to move laterally within the organization until they gained admin privileges and control of a domain controller. This goes to show that organizations need to implement ways to impede attackers even after a breach has occurred.
Perimeter and endpoint protection is important, however specialized privileged activity management software can prevent lateral movement by only enabling administrative access to secure resources at the time that access is needed, and immediately revoke that access after the session is complete. This is known as Zero Standing Privilege and greatly reduces attack surfaces to prevent exactly what happened at the Superior Court of Justice – lateral movement into domain admin rights.
A hallmark of modern ransomware is this lateral movement, followed by privilege escalation resulting in broad-scale impact. Without the ability to move laterally in the first place, it becomes significantly harder for ransomware or its operators to achieve the results we\’ve witnessed here and in countless organizations across the world of every size and type.
It’s important to understand that the Brazil Court system moved quickly and correctly. They immediately shut the network as a precautionary measure to prevent further infection. However, the attack likely encrypted data, email, and resources critical to court proceedings, which all but inevitably put peoples’ lives on hold. Fortunately, the Brazil Superior Court has announced it expects to be back up on Monday or early next week. We don’t really know if they paid ransom or not – usually companies do if it impacts their business – and since this is a public entity, there are disclosure requirements so the facts around ransom will inevitably come out.
RansomExx is notoriously known to steal data before encrypting a network, and then threatening to release it unless ransom is paid. We saw that with Tyler Tech – which works with school systems, and state and local governments, and which was attacked on Oct. 10.
The public sector is far more exposed than most realize – many public sector entities in the US and around the world are using outdated systems and have insufficient budgets to drive timely patches. Our public sector entities hold our most sensitive data and are struggling under a lack of funding. That’s why attackers go after schools – because they can try and leap to local, then state, then federal agencies and entities, traversing through the governmental hierarch in an attempt to reach our highest levels. This attack and others like it must inform our public sector budgeting priorities.
The attack against Brazil’s Superior Court is another example of a high profile target suffering a major outage due to ransomware. Unfortunately, the attackers were apparently able to compromise an Admin level account, which let them place their ransomware where it could do the most damage, taking out case files as well as backups.
While a behavioral analytics tool could have identified the compromised Admin account and mitigated the attack, the fact that backups were accessible and vulnerable to encryption is alarming. This indicates a potential issue with their backup and disaster recovery processes.
Incidents like this are a call for organizations to review their cybersecurity stack, and to review their processes, so they won\’t suffer the same fate.