Industrial cybersecurity company Dragos today disclosed what it describes as a “cybersecurity event” after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.
While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company’s SharePoint cloud service and contract management system.
“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.
“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.”
After breaching Dragos’ SharePoint cloud platform, the attackers downloaded “general use data” and accessed 25 intel reports that were usually only available to customers.
During the 16 hours they had access to the employee’s account, the threat actors failed to also access multiple Dragos systems—including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems—due to role-based access control (RBAC) rules.
Incident timeline (Dragos)
After failing to breach the company’s internal network, they sent an extortion email to Dragos executives 11 hours into the attack. The message was read 5 hours later because it was sent outside business hours.
Five minutes after reading the extortion message, Dragos disabled the compromised user account, revoked all active sessions, and blocked the cybercriminals’ infrastructure from accessing company resources.
“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” Dragos said.
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”
The cybercrime group also attempted to extort the company by threatening to publicly disclose the incident in messages sent via public contacts and personal emails belonging to Dragos executives, senior employees, and their family members.
“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,” Dragos said.
The criminals obviously grew frustrated because we never attempted to contact them. Paying was never an option. They continued to call me, threaten my family, and the family of many of our employees by their names. We hope sharing this can help other organizations prepare.
— Robert M. Lee (@RobertMLee) May 10, 2023
One of the IP addresses listed in the IOCs (144.202.42[.]216) was previously spotted hosting SystemBC malware and Cobalt Strike, both commonly used by ransomware gangs for remote access to compromised systems.
CTI Researcher Will Thomas from Equinix told BleepingComputer that SystemBC has been used by numerous ransomware gangs, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Play, making it hard to pinpoint what threat actor is behind the attack.
Thomas said that the IP address has also been seen used in recent BlackBasta ransomware attacks, possibly narrowing down the suspects.
A Dragos spokesperson said they’d reply later when BleepingComputer reached out for more details on the cybercrime group behind this incident.
Comments
-
EndangeredPootisBird – 3 days ago
Businesses and government’s should take note from these incidents, be it via this company or Cloudflare, that it isn’t difficult to properly secure infrastructure and prevent full scale breaches.
-
LIstrong – 2 days ago
Dragos says that the employee’s email was compromised prior to hire, which presumes that BYOD was involved. Usually onboarding takes place before day 1 and many new hires do it on their personal BYOD.
At least one dominant commercial authentication app maintains control over BYOD phones in perpetuity – after the employee left that employer. Nothing employee can do if former employer wants to keep scraping even if the authentication app has been deleted by the user and it’s not visible in any phone setting. Wiping all data and resetting device to factory, even if you create a new phone user ID doesn’t solve. Apparently the authentication app persists on the phone perhaps associated with the SIM or MAC address or possibly all apps are never deleted. But this may be how this happened. Because if this authentication app persists from former employer, they are in control of the device, not the user. So if an employee leaves under contentious situation and many do, former employer cyber team can wreak havoc for employee with new employer.
How to prevent? Cyber companies or teams should dissuade from onboarding phone sign up. Ask new hires to complete on laptop which should be scanned by employer before any access to onboarding. No BYOD is ever appropriate for cyber companies. The risk that the new hire’s former employers hacked the employee is just too great. Plus cyber staff are high value targets – even those in sales.
Also major phone manufacturers should delete apps from memory. Authentication and most apps are very dangerous to persist.
The hint that the authentication app may be at issue is that the bad actors were able to access SharePoint. SharePoint should never be accessible to BYOD. It should only be accessible on work machines.
There’s no way to make a secure app. They all leak data. Data can be encrypted in transit but still can be scraped as it’s being typed.
-
LIstrong – 2 days ago
One more observation given that the hackers focused on sales related info, contracts, RFP’s, financial data and customer lists. This could very well be a competitor attacking them or hiring someone to do so.
If it was a foreign nation state I think they’d sooner go after their customer technical and vulnerability data, rather than sales related info. The contracts, financial data and RFP’s would be of no use to them.
Since SVB and other regional banks crashes are accelerating, there’s no money for funding which many startups require for continued operations. Most startups aren’t bootstrapped. So bad behavior like this may likely increase.
The other day a Twitter engineer posted a screenshot showing whatsapp was listening to him. Corporate surveillance happens at every level and it’s never benign.
-
Hmm888 – 1 day ago
The latest trend is to pay these terrorists. Oh well…
-
McAfee Consumer Products Removal tool
Version: NA 431,302 Downloads
-
Malwarebytes Anti-Malware
Version: 4.5.28 4M+ Downloads
-
AdwCleaner
Version: 8.4.0.0 56M+ Downloads
-
Windows Repair (All In One)
Version: 4.13.1 2M+ Downloads
-
Everything Desktop Search
Version: 1.4.1.1017 22,871 Downloads
