"LockBit Ransomware Gang Lurked in a US Gov Network for Months"

According to researchers at the cybersecurity company Sophos, LockBit ransomware actors hid in the network of a regional US government agency for at least five months before deploying the payload. The attackers attempted to remove their tracks by deleting Event Logs, but the remaining file pieces have given threat analysts insight into the malicious actor and their operations. The actor is said to have accessed the network via open remote desktop ports on a misconfigured firewall and through the use of Chrome to download attack tools. This set of tools included utilities for brute-forcing, scanning, and a commercial VPN. The attacker also used free tools such as PsExec, FileZilla, Process Explorer, and GMER for file management and command execution. In addition, the hackers leveraged remote desktop and remote management software such as ScreenConnect and AnyDesk. They laid low while trying to steal valuable account credentials to expand their network compromise. Eventually, they collected the credentials of a local server administrator who had Domain Administrator permissions, which allowed them to create new accounts on other systems with administrator privileges. This article continues to discuss the phases of the LockBit ransomware attack on a US government network and the tools involved in the attack.

Bleeping Computer reports "LockBit Ransomware Gang Lurked in a US Gov Network for Months"