Microsoft Defender successfully demonstrated its robust privacy and security features on October 12, 2023, by thwarting a major Akira ransomware attack on an unnamed industrial organisation.
Attackers identified to Microsoft as Storm-1567 were behind the Akira ransomware outbreak, which started in early June 2023. This event highlighted the dynamic and always changing strategies that hackers use to compromise systems and attack organisations.
The attackers used devices that were not connected to Microsoft Defender for Endpoint in order to avoid detection. Concurrently, they exploited a hijacked user account to carry out a series of reconnaissance and lateral movement actions before encrypting the devices.
Attackers use a number of approaches to compromise user accounts, including credential dumping, keylogging, and brute-force attacks. Domain admin-level accounts can quickly get compromised if standard authentication management procedures are ignored. As a result, attackers can get access to domain resources and devices, possibly leading to a system compromise.
Although Microsoft claimed that its endpoint solution may have stopped the attack sooner, it was still able to successfully defend system-integrated devices from the spread of ransomware.
Once the threat actor got access to the network, it continued with a number of suspicious actions, such as scanning, tampering with security products, lateral RDP movement on Windows Server computers, and triggering multiple alerts.
These attempts were successfully thwarted by Microsoft Defender for Endpoint’s protective mechanisms. The attackers then attempted remote device encryption, but a recognised user account was swiftly blocked, safeguarding Defender-integrated devices.
Microsoft Defender for Endpoint quickly put an end to a human-operated attack in early August 2023, protecting a medical research centre from severe attack. The same non-onboarded device and the compromised administrator account were the source of the attackers’ exploitative use of expired credentials to start network scans following the administrator account’s password reset.
The attack began at 4:00 a.m. by changing the password for the default admin account on a non-integrated device, which was quickly recognised and managed. Subsequent execution, such as network searches and RDP connections, were effectively blocked. Following that, the Security Operations Centre (SOC) conducted extra procedures to eliminate attackers.
Microsoft underscores the importance of securing highly privileged user accounts, as they are typically the primary targets of attackers. Compromised domain admin-level accounts enable access to Active Directory and circumvention of standard security measures.
Microsoft’s security solution was useful in this scenario, as it identifies and contains compromised user accounts. This proactive approach disrupts attacks, providing a layer of defence even after the initial breach.
Microsoft’s persistent commitment to improve cybersecurity security measures is reflected in its effective response of the Akira ransomware outbreak. This outcome emphasises the significant need of using advanced security solutions. It is important for organisations to adopt a proactive and attentive approach, given the constant change of cyber threats.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.