The actors behind the Nefilim (also known as Nemty) ransomware are making headlines for a recent intrusion in which the group took advantage of an Active Directory user account of a former employee for over a month without being detected. A report by Sophos noted that a vulnerable version of Citrix Storefront was installed at the time and was likely the initial point of intrusion. Remote Desktop Protocol (RDP) was used after exploitation to maintain remote access to systems. Mimikatz was then used to enumerate credentials store on the host, eventually compromising a domain administrator account. Unfortunately for the victim organization, the account used for the attack was a regular administrative account that had been left enabled after the employee had passed away. Because the account had been left enabled for services that were using it, no alarms had been triggered when the account saw activity again.
According to the researchers at Sophos, “The attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.”