Dharma/CrySIS: Eliminate blind spots for your SOC

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

As simple as it sounds, one important security tip is to include your endpoint software (NextGen AV, Endpoint Detection and Response…) in your standard imaging process. One of our clients did not. Making the problem worse, they were in the process of retiring old machines and on-boarding new machines. As a result, they left over twenty endpoints unprotected. It didn’t take long for adversaries to take advantage.

Our client contacted us to report that several of their endpoints were infected by ransomware. At the same time, the BlueVoyant SOC observed 230 RDP connections by 167 unique IP addresses to a device on their network. Our SOC analysts investigated Threat Intelligence reputations on a sample of these external addresses. They were identified as known RDP brute-forcing bots known for distributing Dharma/CrySIS ransomware.

Our SOC analysts worked with the client to take immediate actions to stop and mitigate the attack. Key actions we took included:

• Changing the password for any user with remote desktop privileges
• Disabling RDP services in lieu of remote access solutions that do not require inbound firewall exceptions
• Reimaging and restoring all infected assets
• Installing NextGen AV agents on infected assets and confirming if they are showing signs of compromise
• Ensuring devices with installed NextGen AV agents have connectivity to the internet and confirm if they are showing signs of compromise
• Limiting the access of devices from outside the network

The BlueVoyant SOC includes the Client Experience Team (CET) to ensure successful implementation of BlueVoyant Managed Security Services and serve as a conduit between BlueVoyant and our clients. Our CET learned that the client had a mismatch of operating systems across their environment. They do not do patch management or vulnerability scanning. The client network is flat. All machines were on the same layer 2, with no routing or isolation.

Our CET worked with the client to modify their NextGen AV policies to block any further attempts to infect their endpoints with Dharma/CrySIS. We identified local vendors to provide patch management. We are providing guidance for a more secure network design. The bottom line is through the efforts of the CET, the client has fully recovered and has an improved security posture.