SMASH AND GRAB Notorious crooks broke into a company network in 48 minutes. Heres how. Report sheds new light on the tactics allowing attackers to move at breakneck speed. Dan Goodin Feb 21, 2025 1:17 pm | 3 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreIn December, roughly a dozen employees inside a manufacturing company received a tsunami of phishing messages that was so big they were unable to perform their day-to-day functions. A little over an hour later, the people behind the email flood had burrowed into the nether reaches of the company's network. This is a story about how such intrusions are occurring faster than ever before and the tactics that make this speed possible.The speed and precision of the attacklaid out in posts published Thursday and last monthare crucial elements for success. As awareness of ransomware attacks increases, security companies and their customers have grown savvier at detecting breach attempts and stopping them before they gain entry to sensitive data. To succeed, attackers have to move ever faster.Breakneck breakoutReliaQuest, the security firm that responded to this intrusion, said it tracked a 22 percent reduction in the breakout time threat actors took in 2024 compared with a year earlier. In the attack at hand, the breakout timemeaning the time span from the moment of initial access to lateral movement inside the networkwas just 48 minutes.For defenders, breakout time is the most critical window in an attack, ReliaQuest researcher Irene Fuentes McDonnell wrote. Successful threat containment at this stage prevents severe consequences, such as data exfiltration, ransomware deployment, data loss, reputational damage, and financial loss. So, if attackers are moving faster, defenders must match their pace to stand a chance of stopping them.The spam barrage, it turned out, was simply a decoy. It created the opportunity for the threat actorsmost likely part of a ransomware group known as Black Bastato contact the affected employees through the Microsoft Teams collaboration platform, pose as IT help desk workers, and offer assistance in warding off the ongoing onslaught.Within minutes, at least two of the employees took the bait and followed instructions to open the Quick Assist remote access app built into Windows and hand off control of their desktops to the person on the other end. With that initial access, the breakout time clock was now ticking.Gaining control of an employee device inside a targeted network is only the first in a long series of steps required to tunnel into the fortified regions and steal sensitive data stored there. Most networks these days are segmented, meaning each device and account has access only to the resources needed to perform specific tasks assigned.The person who accessed one of the employees' devices knew that they had to move fast. In the first seven minutes, they connected the employee desktop to their remote command-and-control server by opening IP ports 443 and 10443, which are typically reserved for TLS traffic.They then attempted to use the SMB networking tool, also built into Windows, to upload a malicious Dynamic Link Library file to a sensitive OneDrive directory responsible for performing updates. The techniqueknown as DLL sideloadingworks by placing a malicious DLL file in the same directory as a vulnerable application. Because Windows apps first search their own directories for the DLL files they need, the malicious one gets loaded.When SMB failed, the attacker tried uploading the file using RDP, short for the remote desktop protocol, combined with the Windows PowerShell command window. This time, the upload worked as planned. The attacker went on to use PowerShell to trigger the malicious payload to run on compromised administrator accounts. With that, the attacker was able to connect to the control server through the targeted network, another key rung in the breakout ladder climb.The attacker then used the connection to gain privileged system rights by accessing a service account, likely compromised earlier, for managing an SQL database. Using credentials stored inside the database, the attacker created a new account and assigned it the highest administrative permissions available. The attacker used the privileged system rights to scan the network for vulnerable targets using the SoftPerfect Network Scanner. Attackers and defenders alike often use this tool to identify resources that accounts inside a network have access to.ReliaQuest and its customer have been unable to determine precisely how the attacker gained such access to the service account, but they speculate it was purchased from whats known as an initial access broker. These are a type of threat actor that focus solely on compromising accounts and, when necessary, escalating privileges. The brokers then sell this access to others for use in breaches.In any event, the attacker had now gained persistent, privileged access to the network and was in a position to exfiltrate sensitive data from it. The following image lays out the timeline. The breakout time begins at 5:47 pm and concludes at 6:35 pm, just 48 minutes later. Timeline showing steps that occurred in a recent ransomware attack. The breakout time starts once an employee gave the attacker remote access to their desktop device. Credit: ReliaQuest Elements of successA lot of planning, skill, and experience went into the breach. The spam decoy was effective because it contained no malicious links or attachments, giving it the appearance of an easily contained threat that did little other than making employee inboxes unable to function normally. It also gave the attacker a convincing pretense for contacting the employees and offering IT support.This low-tech but highly effective method allows threat actors to gain initial access and convince users to grant them control of their machines, ReliaQuest researcher John Dilgen wrote. Given its success, its likely that other threat groups will adopt this technique in the near future.The attacker was also proficient in:using DLL side-loading, a technique that first requires identifying a vulnerable app running inside the networknavigating through a maze of network directories using command-line tools and having the agility and breadth of experience to switch to RDP and PowerShell once SMB failedrelying solely on the use of legitimate tools such as Quick Assist, Teams, SMB, RDP, and SoftPerfect to avoid detectiona technique defenders call living off the landpainstaking research and preparation ahead of time, including the acquisition of a previously compromised service account they could access once they had gained initial accessBlack Basta and most other ransomware groups are built on a model known as RaaSshort for ransomware as a service. Under this model, a core group develops the ransomware and rents it out to one or more affiliates. Often, two or more affiliates work together. This allows for each affiliate to perform specific tasks, for instance: draft initial spam messages, pose as IT help personnel, and burrow deeper into a network using command-line tools.There are a variety of things organizations can do to harden their networks to withstand these sorts of attacks. Steps include uninstalling remote access apps like Quick Assist when theyre not needed or restricting access to a small number of hosts, disabling accounts that are no longer needed, and establishing robust verification procedures for employees to confirm theyre interacting with legitimate help-desk staff. The above-linked posts lay out many other best practices.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 3 Comments