Skip to content
SMASH AND GRAB

Notorious crooks broke into a company network in 48 minutes. Here’s how.

Report sheds new light on the tactics allowing attackers to move at breakneck speed.

Dan Goodin | 40
Credit: Getty Images
Credit: Getty Images

In December, roughly a dozen employees inside a manufacturing company received a tsunami of phishing messages that was so big they were unable to perform their day-to-day functions. A little over an hour later, the people behind the email flood had burrowed into the nether reaches of the company's network. This is a story about how such intrusions are occurring faster than ever before and the tactics that make this speed possible.

The speed and precision of the attack—laid out in posts published Thursday and last month—are crucial elements for success. As awareness of ransomware attacks increases, security companies and their customers have grown savvier at detecting breach attempts and stopping them before they gain entry to sensitive data. To succeed, attackers have to move ever faster.

Breakneck breakout

ReliaQuest, the security firm that responded to this intrusion, said it tracked a 22 percent reduction in the “breakout time” threat actors took in 2024 compared with a year earlier. In the attack at hand, the breakout time—meaning the time span from the moment of initial access to lateral movement inside the network—was just 48 minutes.

“For defenders, breakout time is the most critical window in an attack,” ReliaQuest researcher Irene Fuentes McDonnell wrote. “Successful threat containment at this stage prevents severe consequences, such as data exfiltration, ransomware deployment, data loss, reputational damage, and financial loss. So, if attackers are moving faster, defenders must match their pace to stand a chance of stopping them.”

Ars Video

 

The spam barrage, it turned out, was simply a decoy. It created the opportunity for the threat actors—most likely part of a ransomware group known as Black Basta—to contact the affected employees through the Microsoft Teams collaboration platform, pose as IT help desk workers, and offer assistance in warding off the ongoing onslaught.

Within minutes, at least two of the employees took the bait and followed instructions to open the Quick Assist remote access app built into Windows and hand off control of their desktops to the person on the other end. With that initial access, the breakout time clock was now ticking.

Gaining control of an employee device inside a targeted network is only the first in a long series of steps required to tunnel into the fortified regions and steal sensitive data stored there. Most networks these days are segmented, meaning each device and account has access only to the resources needed to perform specific tasks assigned.

The person who accessed one of the employees' devices knew that they had to move fast. In the first seven minutes, they connected the employee desktop to their remote command-and-control server by opening IP ports 443 and 10443, which are typically reserved for TLS traffic.

They then attempted to use the SMB networking tool, also built into Windows, to upload a malicious Dynamic Link Library file to a sensitive OneDrive directory responsible for performing updates. The technique—known as DLL sideloading—works by placing a malicious DLL file in the same directory as a vulnerable application. Because Windows apps first search their own directories for the DLL files they need, the malicious one gets loaded.

When SMB failed, the attacker tried uploading the file using RDP, short for the remote desktop protocol, combined with the Windows PowerShell command window. This time, the upload worked as planned. The attacker went on to use PowerShell to trigger the malicious payload to run on compromised administrator accounts. With that, the attacker was able to connect to the control server through the targeted network, another key rung in the breakout ladder climb.

The attacker then used the connection to gain privileged system rights by accessing a service account, likely compromised earlier, for managing an SQL database. Using credentials stored inside the database, the attacker created a new account and assigned it the highest administrative permissions available. The attacker used the privileged system rights to scan the network for vulnerable targets using the SoftPerfect Network Scanner. Attackers and defenders alike often use this tool to identify resources that accounts inside a network have access to.

ReliaQuest and its customer have been unable to determine precisely how the attacker gained such access to the service account, but they speculate it was purchased from what’s known as an initial access broker. These are a type of threat actor that focus solely on compromising accounts and, when necessary, escalating privileges. The brokers then sell this access to others for use in breaches.

In any event, the attacker had now gained persistent, privileged access to the network and was in a position to exfiltrate sensitive data from it. The following image lays out the timeline. The breakout time begins at 5:47 pm and concludes at 6:35 pm, just 48 minutes later.

Timeline showing steps that occurred in a recent ransomware attack. The breakout time starts once an employee gave the attacker remote access to their desktop device. Credit: ReliaQuest

Elements of success

A lot of planning, skill, and experience went into the breach. The spam decoy was effective because it contained no malicious links or attachments, giving it the appearance of an easily contained threat that did little other than making employee inboxes unable to function normally. It also gave the attacker a convincing pretense for contacting the employees and offering IT support.

“This low-tech but highly effective method allows threat actors to gain initial access and convince users to grant them control of their machines,” ReliaQuest researcher John Dilgen wrote. “Given its success, it’s likely that other threat groups will adopt this technique in the near future.”

The attacker was also proficient in:

  • using DLL side-loading, a technique that first requires identifying a vulnerable app running inside the network
  • navigating through a maze of network directories using command-line tools and having the agility and breadth of experience to switch to RDP and PowerShell once SMB failed
  • relying solely on the use of legitimate tools such as Quick Assist, Teams, SMB, RDP, and SoftPerfect to avoid detection—a technique defenders call living off the land
  • painstaking research and preparation ahead of time, including the acquisition of a previously compromised service account they could access once they had gained initial access

Black Basta and most other ransomware groups are built on a model known as RaaS—short for ransomware as a service. Under this model, a core group develops the ransomware and rents it out to one or more affiliates. Often, two or more affiliates work together. This allows for each affiliate to perform specific tasks, for instance: draft initial spam messages, pose as IT help personnel, and burrow deeper into a network using command-line tools.

There are a variety of things organizations can do to harden their networks to withstand these sorts of attacks. Steps include uninstalling remote access apps like Quick Assist when they’re not needed or restricting access to a small number of hosts, disabling accounts that are no longer needed, and establishing robust verification procedures for employees to confirm they’re interacting with legitimate help-desk staff. The above-linked posts lay out many other best practices.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
40 Comments
Staff Picks
j
janhec
This is rather depressing, since there are lots of variations possible given the attackers level of skill.
Warding off the IT assistance posture here seems really tough, unless you (company IT) can be there first.
Something like Marginot lines everywhere and plenty of ways to circumvent them, at least socially.
I'm pensioned, and no longer having to deal with company IT is my greatest relief, bigger even than not having to go to a lot of boring meetings.
J
JustReadingArs
Ignoring the staff that caused the chaotic events (social engineered) by working with the fake IT support, shouldn't RDP, quick assist, Powershell, and SMB be disabled for non-admin/elevated staff?! (And any other network/elevated access)

Or even block external Teams calls (to inside the network), and a one-time account/access is setup (with IT staff) to even allow it, and use a 'call-center' to field any public facing calls.
Still amazing with the speed and multiple crews being used... (Still reading the full report from article link)
Entegy
Entegy
The article doesn't address how Black Basta was able to break into the company's Microsoft Teams instance, which seems to be one of the important prerequisites of the success of this scheme.
You can configure your Teams for B2B chatting. I think it's even the default nowadays. However, someone not in your org being able to request control of your computer is also disabled by default. If this was someone using an account from a different org, then that means the feature to take control was enabled for guests/external orgs.
Prev story
Next story