Type of Attack: Phishing and Ransomware
Company Size: 600 employees
An attacker sent phishing emails to employees. One of the users opened the email, thought it was legitimate, and entered their username and password credentials. Since most people synchronize their computer password with their email password at work, the attacker was able to use the login details to access the VPN network. Once inside, the attacker conducted reconnaissance, figuring out “who’s who” in the organization and proceeded to send emails to targeted individuals from the compromised email account.
The attacker was inside the organization undetected for several months, and gained access to administrative accounts. They deciphered the timing of invoices and expected payments and obtained the company’s bank wiring details.
The attackers wired approximately $300,000 from the company’s bank account into their personal account. Additionally, they sent a number of pending invoices with updated false payment information, so the money would come to them when payment was made. If that wasn’t enough, the attackers also set off a ransomware attack, encrypting all of the company’s computer assets.
What We Did
There was a lot of cleanup work that needed to be done because of this attack, but our team dug in and devoted more than 300 man hours to get the job done. The company had 300 workstations, all of which needed to be reloaded due to the ransomware attack. We arrived on site and set up camp in a large conference room. We set up an imaging service to create copies of all of the computers. Fortunately, the company had encrypted backups and a SAN (Storage Area Network) snapshot, which truly saved them from irreparable damage.
We used the backups to start restoring services. Our team’s expertise and the additional hardware we brought in to help with remediation enabled us to get their business back up and running within three days. All of the workstations were reimaged within five days. Unfortunately, there was one site they did not have quality backups for. They did end up having to pay the ransom for this data. We were, however, able to help negotiate the amount down from roughly $850,000 to approximately $600,000. In these situations, companies are often powerless, as these ransomware attacks originate from non-extradition countries, leaving no options for recourse.
Regular, encrypted, and “air gapped” backups are a critical component for cybersecurity. Air gapping is the act of disconnecting the backup device from the network, so it can’t be compromised if the entire network is attacked. Failure to take these types of proactive measures can cost you dearly if an attack occurs. Employees should be educated on phishing attacks, and companies should make sure login credentials are not duplicated across email and network access.
Type of Attack: Business Email Compromise (BEC)
Company Size: 120 employees
The President of the company began to notice some irregularities with his emails. Specifically, clients and customers would mention they had emailed him, but he hadn’t received the emails. These messages often dealt with company finances, making it a serious matter. The CEO reached out to his Managed Service Provider (MSP) to investigate. The MSP found some suspicious email forwarding rules and removed them.
However, about a month later, the CFO received a phone call from a customer saying she tried to wire money to the company, but it didn’t go through. The CFO wasn’t expecting payment until the following week. The customer received an email from the President asking the money to be wired that day but supplied different wiring instructions. The customer tried to wire the funds, but the transfer failed, which prompted the CFO from the sending company to contact the construction company. It turns out there were other email forwarding rules still in play that were well-disguised to look like standard directories. They can (and were) missed by the MSP a month prior. The attacker would have gotten a hold of $100,000 had the wiring instructions not contained an error.
What We Did
We identified all of the forwarding rules the attackers had set up and tried to disguise, and removed them from the system. We also contacted the company that had attempted to send payment to let them know what had happened. We gathered the original email from the company to determine that the email was spoofed from a mail server of yet another breached company. We took extensive measures to harden the company’s email service, such as multi-factor authentication for all email users.
A main concern the company had was determining whether or not the attackers had gained access to anything other than email. We conducted a thorough investigation of their onsite computers, networks, and servers. Fortunately, we were able to validate that this was an isolated incident, providing the peace of mind the company sought.
Remediation for an attack requires cybersecurity expert help in order to be certain that 1) All threats have been removed and 2) The attacker has not infiltrated other areas of the organization.
Type of Attack: Phishing & Advanced Persistent Threat (APT)
Company Size: 2,000 employees
A company suddenly realized that $700,000 had been moved out of their bank account in error. Additionally, they weren’t receiving payments from some customers. It turned out an attacker was intercepting payment emails and rerouting the money to their own account. They quickly realized they were under attack and that the attacker had been deeply embedded in the organization for many months, unbeknownst to the organization.
What We Did
A member of our elite cybersecurity team went “head to head” with the attacker in order to evict him. Due to insufficient logging information and the attacker’s ability to cover their tracks, we were unable to determine a specific initial point of entry, but it was likely either a phishing email or through poorly managed and vulnerable externally accessible servers.
The company was relying on a number of outdated systems and applications, many of which contain known vulnerabilities. An attacker can easily leverage these known vulnerabilities to gain access to the network.
In this situation, we were able to deliver what we call “reasonable containment.” The company’s systems were simply too outdated and improperly managed to be able to decisively deliver “full containment.” The attacker was evicted, and we were able to deliver reasonable containment. Blue Team Alpha also contacted the FBI in an attempt to recover the funds. However, the company waited too long to contact an incident response firm, and the FBI was unable to do so. The company has not had any additional cybersecurity issues in more than 12 months since following Blue Team Alpha’s remediation recommendations.
Relying on outdated servers and applications that contain known vulnerabilities increases your chances of becoming victim of an attack. It also makes it harder to fully remediate an attack, potentially leaving your company at risk for future threats. We recommend taking a proactive approach to cybersecurity to shore up your defenses before an attack occurs.
Type of Attack: Ransomware
Company Size: 350 employees
A company that produced point-of-sale systems for major retailers was the victim of a ransomware attack on their servers. The ransomware encrypted roughly 90 percent of their 110 servers. When they went to check their backups, they actually saw the attacker at work, deleting their previous backup jobs from Veeam.
What We Did
Given the urgency of the situation, we went to a 24-hour schedule. Fortunately, the company had SAN (storage-area network) snapshots. We deployed all of our incident response tooling measures to contain the outbreak and limit further damage.
In ransomware cases, it’s important to make sure you identify any persistence mechanisms the attacker may leave behind. Every door must be closed. Often, ransomware attackers will try to leave a way to get back in. Even after you have survived this attack, and regained your data, they can sell or trade the access information to someone else, leaving you susceptible to another attack. Antivirus products can’t find most of these mechanisms, which is why you can’t rely on software alone to detect and prevent ransomware attacks.
We took their entire production environment offline and restored everything from their SAN snapshots. We evicted the attacker, changed all of their passwords, conducted a full Office 365 review, and got them back up and running within a work week.
Attacks are changing and morphing at a rapid pace. Antivirus software cannot keep up with these changes. Four out of five attacks are not detected by a company’s anti-malware suite. In addition, most antivirus software only protects against identified code that has been found to be dangerous. Hackers have moved far beyond that simplistic approach to much more sophisticated methods. Advanced tooling and cybersecurity guidance from an expert team that is up-to-date on the latest threats is the fastest and most cost-effective way to hunt down, detect, and evict an attacker.