“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” Jacobs explains.
“When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.”
The cyber-gang got onto the network by setting up remote access accounts and gaining admin privileges in order to use Cobalt Strike.
“From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute-forcing RDP if it is exposed to the internet,” Sophos Rapid Response manager Peter Mackenzie, reported to ZDNet.
Closely monitor your network
Sophos says there are steps every business needs to take to protect their network. The key is to close down initial access to your system.
