Quote:
Originally Posted by Rathji
Thought I responded to this on my phone, but I guess it didn't get submitted.
Should not, but could if the machine has domain trust. There are many known methods of escalating local admin rights on a domain joined machine to domain rights.
You can't compare this attack to any previous click-a-attachment-encypt-my-documents-ransomware attack that just hits word docs and spreadsheets, this encrypted their "entire exchange server" which I am guessing means the database, but of course they have not released details. Off the shelf protections are likely of very limited use, even if they use a heuristic analysis to stop file encryption.
This is a targeted and likely customized attack using what is likely zero-day or otherwise unreported exploits to gain access. You cannot stop a dedicated attacker from obtaining access to your network, but you can try and make it hard enough to make it not worth it.
That's where the UofC failed in this case, and it cost them $20k.
|
I think it's more of a question of people facepalming that a local user on a workstation (as the ransomware vector is through the permissions of the user who clicked on the attachment) has permissions to make file-level changes on an Exchange mailbox server or infect the whole database availability group. That should never be possible.