{"id":1322,"date":"2019-07-24T13:03:33","date_gmt":"2019-07-24T05:03:33","guid":{"rendered":"https:\/\/greycortex.hk\/?page_id=1322"},"modified":"2019-08-22T15:45:02","modified_gmt":"2019-08-22T07:45:02","slug":"use-case-ransomware-attack","status":"publish","type":"page","link":"https:\/\/greycortex.hk\/zh\/use-case-ransomware-attack\/","title":{"rendered":"Use Case – Ransomware Attack Against Government"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Ransomware Attack\nAgainst Government<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Industry:<\/strong><\/p>

Government Ministry<\/p>

Entry Point:<\/strong><\/p>

Infected Email<\/p>

Objective:<\/strong><\/p>

Attack against full network using Eternal Blue selfpropagating exploit<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t

\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Detection Method:<\/strong><\/p>

Advanced Network Traffic Analysis with event correlation<\/p>

Secondary Detection:<\/strong><\/p>

Known signature of Eternal Blue exploit<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
At a government ministry, an employee received an email which contained an attachment marked as \u201cinvoice.\u201d Presuming it to be legitimate, he opened the attachment, unknowingly releasing a ransomware payload. This ransomware did not take immediate action to ransom the recipient\u2019s laptop, but started preparing for a larger attack against the full network.<\/h5>
As part of this preparation, the ransomware downloaded TOR and began to communicate with an outside IP address. Both of these anomalous actions were identified by MENDEL as they happened. MENDEL automatically alerted the ministry\u2019s security team, who used MENDEL to identify the device, and MENDEL\u2019s integration with Active Directory to identify the employee in question. The machine was sanitized and returned to service before it could cause damage.<\/h5>
The ransomware in question used the Eternal Blue exploit, which infects other devices across the network without having to be spread by careless users. Eternal Blue was a key component of the WannaCry ransomware which effected networks worldwide in 2017. MENDEL detects this exploit by name, and it identifies ransomware using similar, unknown exploits by their actions, escalating their seriousness based on these actions if necessary, through event correlation.<\/h5>
Attacks of this nature; using advanced malware against governments, critical corporate assets, and infrastructure, are becoming more common. They are nearly impossible to detect by commonly used security tools. MENDEL helps defend the network against them.<\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\u4f60\u6709\u4ec0\u9ebc\u554f\u984c\u55ce\uff1f<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u8acb\u7559\u4e0b\u60a8\u7684\u806f\u7d61\u65b9\u5f0f\uff0c\u4ee5\u4fbf\u6211\u5011\u6839\u64da\u60a8\u516c\u53f8\u7684\u9700\u6c42\u63d0\u4f9b\u500b\u6027\u5316\u7684\u670d\u52d9\u3002<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

Ransomware Attack Against Government Industry: Government Ministry Entry Point: Infected Email Objective: Attack against full network using Eternal Blue selfpropagating exploit Detection Method: Advanced Network Traffic Analysis with event correlation Secondary Detection: Known signature of Eternal Blue exploit At a government ministry, an employee received an email which contained an attachment marked as \u201cinvoice.\u201d Presuming […]<\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-templates\/fullwidth-content.php","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":""},"class_list":["post-1322","page","type-page","status-publish","hentry"],"jetpack_shortlink":"https:\/\/wp.me\/PaZ0Rf-lk","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/pages\/1322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/comments?post=1322"}],"version-history":[{"count":25,"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/pages\/1322\/revisions"}],"predecessor-version":[{"id":2037,"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/pages\/1322\/revisions\/2037"}],"wp:attachment":[{"href":"https:\/\/greycortex.hk\/zh\/wp-json\/wp\/v2\/media?parent=1322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}