Threat Watch

Nefilim Actors Use Active Directory Account for a Month Before Deploying Ransomware

The actors behind the Nefilim (also known as Nemty) ransomware are making headlines for a recent intrusion in which the group took advantage of an Active Directory user account of a former employee for over a month without being detected. A report by Sophos noted that a vulnerable version of Citrix Storefront was installed at the time and was likely the initial point of intrusion. Remote Desktop Protocol (RDP) was used after exploitation to maintain remote access to systems. Mimikatz was then used to enumerate credentials store on the host, eventually compromising a domain administrator account. Unfortunately for the victim organization, the account used for the attack was a regular administrative account that had been left enabled after the employee had passed away. Because the account had been left enabled for services that were using it, no alarms had been triggered when the account saw activity again.

According to the researchers at Sophos, “The attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.”


Binary Defense recommends updating to the latest version of Citrix Storefront to remediate security vulnerabilities. The compromised account used for the attack was unfortunately that of a deceased employee where services enabled were also relying on this account remaining active. Organizations should always create special service accounts with the least level of privileges required and with strong passwords (32+ characters, randomly generated) for services used in production. Personal accounts, especially ones with administrative privileges, should never be used for services in this way. Domain administrator accounts should also be used as sparingly as possible. Most actions in Active Directory environments can be granted to admins without this level of access. Event logs should also be monitored to alert whenever a new account has been granted full domain admin rights. Having a Security Operations Center that operates 24 hours a day and can investigate any suspicious activity or addition of a new administrator account is one of the best defenses to ensure that intrusions such as this are not allowed to persist.