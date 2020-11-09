Brazil’s Superior Court of Justice (STJ) President Humberto Martins announced that “the court’s information technology network suffered a hacker attack on Tuesday (3), during the afternoon, when the six group classes’ judgment sessions took place. The Secretariat for Information and Communication Technology (STI) is working to recover the systems of services offered by the Court.” Security Experts offer perspective.
EXPERTS COMMENTS
Dan Piazza, Technical Product Manager, Stealthbits Technologies
November 09, 2020
A hallmark of modern ransomware is this lateral movement.
While this attack hasn't done anything extraordinary, it's a perfect example of how compromising a Domain Admin gives attackers the keys to the kingdom. Although we don't know what defensive measures were previously deployed by the Superior Court of Justice's IT department, it seems RansomExx was easily able to move laterally within the organization until they gained admin privileges and control of a domain controller. This goes to show that organizations need to implement ways to impede attackers even after a breach has occurred. Perimeter and endpoint protection is important, however specialized privileged activity management software can prevent lateral movement by only enabling administrative access to secure resources at the time that access is needed, and immediately revoke that access after the session is complete. This is known as Zero Standing Privilege and greatly reduces attack surfaces to prevent exactly what happened at the Superior Court of Justice - lateral movement into domain admin rights. A hallmark of modern ransomware is this lateral movement, followed by privilege escalation resulting in broad-scale impact. Without the ability to move laterally in the first place, it becomes significantly harder for ransomware or its operators to achieve the results we've witnessed here and in countless organizations across the world of every size and type.
Saryu Nayyar, CEO, Gurucul
November 09, 2020
The fact that backups were accessible and vulnerable to encryption is alarming.
The attack against Brazil's Superior Court is another example of a high profile target suffering a major outage due to ransomware. Unfortunately, the attackers were apparently able to compromise an Admin level account, which let them place their ransomware where it could do the most damage, taking out case files as well as backups. While a behavioral analytics tool could have identified the compromised Admin account and mitigated the attack, the fact that backups were accessible and vulnerable to encryption is alarming. This indicates a potential issue with their backup and disaster recovery processes. Incidents like this are a call for organizations to review their cybersecurity stack, and to review their processes, so they won't suffer the same fate.
