Full Report
It was far too easy for a hacker to get the information
Analysis Summary
# Incident Report: Massive Ransomware Impact via Active Directory Credential Leak
## Executive Summary
A specialized Initial Access Broker (IAB) compromised a corporate network through a phishing campaign, deploying the Sliver framework to steal user credentials. By exploiting a severe security misconfiguration where service account passwords were stored in cleartext within Active Directory (AD) description fields, the attackers gained full domain administrative access. This resulted in the total encryption of Hyper-V infrastructure, deletion of backups, and a multi-month operational shutdown affecting over 2,000 users.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Published June 4, 2026)
- **Incident Date:** Predates June 2026
- **Affected Organization:** Not disclosed (Client of Reliance Cyber)
- **Sector:** Likely Technology/Development (based on developer service account usage)
- **Geography:** Likely UK (Consultant based in UK)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Phishing Campaign
- **Details:** A user’s endpoint was compromised via a phishing lure, leading to the execution of the Sliver offensive security framework.
### Lateral Movement
- Attackers captured initial victim credentials and performed internal reconnaissance.
- They queried Active Directory, which is natively readable by any "Domain User" account.
- Attackers discovered service account passwords stored in cleartext within the "Description" and "Comment" fields of AD objects.
### Data Exfiltration/Impact
- **Credential Escalation:** Accessed passwords provided full domain administrative privileges.
- **Destruction:** Systematic deletion of all corporate backups to prevent recovery.
- **Ransomware Deployment:** Encrypted Hyper-V hypervisors and their underlying hosts, paralyzing the virtualized infrastructure.
### Detection & Response
- **Discovery:** Resulted from massive operational failure (ransomware).
- **Response Actions:** Engagement with Reliance Cyber for reactive consulting and incident recovery.
## Attack Methodology
- **Initial Access:** Phishing/Social Engineering.
- **Persistence:** Use of Sliver framework on the endpoint.
- **Privilege Escalation:** Exploitation of cleartext passwords stored in unencrypted AD attributes.
- **Defense Evasion:** Deletion of backups to bypass disaster recovery protocols.
- **Credential Access:** Credential harvesting via endpoint tools and AD attribute queries.
- **Discovery:** Active Directory reconnaissance (standard LDAP queries).
- **Lateral Movement:** Valid account usage with elevated privileges.
- **Impact:** Mass encryption of virtualization hosts (Ransomware).
## Impact Assessment
- **Financial:** Not specified, but implied to be high due to multiple months of downtime.
- **Data Breach:** Compromise of all service and domain credentials.
- **Operational:** 2,000+ users offline; full infrastructure shutdown for months.
- **Reputational:** High; case study used as an example of significant security negligence.
## Indicators of Compromise
- **Tools:** `Sliver` (Cross-platform C2 framework).
- **Behavioral:** Unusual LDAP/AD queries targeting the "description" or "userComment" attributes; deletion of backup snapshots/logs; mass encryption of `.vhdx` files.
## Response Actions
- **Containment:** System-wide shutdown and isolation (implied by "taken offline for months").
- **Eradication:** Extensive cleaning of Hyper-V hosts and restoration of identity services.
- **Recovery:** Long-term recovery efforts were required due to the absence of viable backups.
## Lessons Learned
- **The "Low Privilege" Fallacy:** Organization failed to realize that standard users have read-access to the majority of AD attributes by default.
- **Shadow IT/Configuration:** Developers used AD as a makeshift (and insecure) password manager in the absence of a formal tool.
- **Backup Integrity:** Storing backups within the same domain/identity perimeter as the production environment allowed the attackers to delete them easily.
## Recommendations
- **Implement a Secret Management System:** Deploy a dedicated password vault (e.g., HashiCorp Vault, CyberArk, or Azure Key Vault) for service accounts.
- **Audit AD Attributes:** Regularly scan Active Directory for sensitive strings (passwords, API keys) in non-encrypted fields like "Description" or "Notes."
- **Immutable Backups:** Ensure backups are stored "off-domain" with immutable tags to prevent deletion even if domain admin credentials are stolen.
- **Endpoint Protection:** Deploy EDR/XDR solutions to detect and block the execution of offensive frameworks like Sliver.