In June 2017, alarm bells started ringing all over the world. Companies were still reeling from the reputational and economic storm that had been WannaCry, when a new piece of ransomware took over computers in half of the business world. NotPetya managed to infiltrate several Ukrainian banks, as well as multinationals as big as Mondelez or the law firm DLA Piper.
This ransomware got hold of the credentials of these large companies, along with their passwords, eventually getting administrator privileges. From there, it was a simple task to deliver the final payload to the affected computers. There was one particularly curious feature of this new attack; despite the constant innovations of cybercrime, a large part of this ransomware was not new.
2011, the beginning of Mimikatz_
It dates back to 2011. This was when the French programmer Benjamin Deply – known as gentilkiwi – developed a tool that he called Mimikatz. He had managed to simply and automate credential theft, especially from certain versions of the Windows operating system. Deply was mainly seeking to demonstrate how vulnerable Windows authentication protocols were, leaving users and companies at the mercy of cybercriminals. Deply may not have realized it, but he had just created a weapon that is now more active than ever.
Over the last few years, Benjamin Deply’s legacy has become one of the most commonly used tools in malwareless cyberattacks. Despite its longevity, this kind of intrusion is still enjoying huge levels of success. So much so that 2018 became the year in which malwareless cyberattacks took center stage. And 2019 has been no different; attackers are employing all kinds of tactics to get around companies’ security measures without the need to use malware.
When it comes to putting a company’s cybersecurity at risk, Mimikatz has a wide range of strategies, but the most common is the following:
1.- Entry. Firstly, Mimikatz needs to get onto a device or a system that is compromised or that has some kind of vulnerability. It can get around cybersecurity controls thanks to the various forms that it can take.
2.- Execution. Once inside the system, the cybercriminal that is controling Mimikatz will execute or modify a code to check that they are accessing the computer’s administrator permissions. From there, they will be able to get access to sensitive information.
3.- Libraries and passwords. With Mimikatz it will be easy for the attacker to access credentials and passwords by changing codes, especially in Windows. With all of this, they will be able to take full control of the affected computer.
4.- Theft or infection. Once executed, the cybercriminal will be able to use the passwords stolen to steal the real administrator’s identity and infect as many devices as possible, moving between them using lateral movements.
Mimikatz is so effective and long-lasting that it has started to receive its own nicknames: some people refer to it as the AK47 of cyberattacks, or the Swiss Army knife of cybercrime.
How can we fight Mimikatz?_
Any company that wants to protect its assets against Mimikatz or other similar tools need to adopt a series of measures to reinforce their cybersecurity systems.
1.- Go beyond files. Mimikatz can infect computers without having to use any kind of file. This means that many cybersecurity solutions are unable to detect it. This is why it is essential that companies go further than analyzing files. As we saw at PASS2019, malware is no longer a problem for Panda Security or Cytomic. The challenge now lies in avoiding targeted attacks from hackers. To protect against this kind of attack, there is only one valid approach: Zero Trust, with behavioral analysis and threat hunting techniques.
2.- Monitoring. Companies’ efforts need to focus on controlling everything that is happening on their systems. Cytomic’s solutions automatically monitor all system processes in real time, detecting any anomalous behavior, even in the use of legitimate tools. This way, they can detect fileless threats and hacking attacks before they can become a security problem.
The fact is that early detection of attacks reduces risks, speeds up containment, and reduces operating costs in our organization. Having a a Threat Hunting and Incident Response solution like Cytomic Orion drastically reduces the attack surface. What’s more, the Threat Hunting services allows us to stop attacks at any point in the CYBER KILL CHAIN.
Cybercriminals’ modus operandi includes strategies that don’t require malware to cause companies and businesses serious problems. In this light, Anticipation and intelligence production have become key to stopping cybercrime. To this end, companies must adopt proactive approaches and use threat hunting services.