Tracing the Digital Fingerprints of a Threat Actor

If you’ve got a robust security system in place and have a team member that has over 15 years of cybersecurity experience, you might feel like you’ve done enough to be safe. Unfortunately, for at least one business, that wasn’t enough.

We recently had a chance to chat with Luke Emrich, Director of Incident Response at Tetra Defense. He investigated the above case and shared what he learned as well as some tips for how organizations can better prepare for attacks.

 

Tetra Defense

Tetra helps businesses deal with ransomware attacks, business email compromises, IP theft investigations, and other incidents that need response and investigation. They help businesses improve their cybersecurity posture in accordance with the latest threats (and the latest solutions).

As one of Tetra’s case leads, Luke will be one of the first people that a client will speak to when an incident occurs. Together they will work through a game plan and strategy for how to investigate the event, and more importantly, how to recover and how to get the business up and running.

 

The Attack

It was a Saturday night when it was obvious that something was wrong at a medium-sized SAS company. The 15-year cybersecurity expert we alluded to in the introduction took copious notes from a security engineer late in the afternoon. Server shutdown alerts were coming in one after another and it became clear pretty early on that three separate attacks were happening simultaneously. So this wasn’t one burglar getting into one house, it was a simultaneous attack on three different houses in a neighborhood.

 

Find the Source

As Luke and Tetra started looking at the situation, they began with the high-value systems that the threat actor may have used as part of the attack. In this case, the threat actor used a tool called Cobalt Strike.

 

Cobalt Strike

Cobalt Strike is a tool that is often used by the US government and large businesses to emulate the tactics and techniques of a threat actor. In one exercise, one group of “hackers” will use Cobalt Strike to deploy a payload that creates a connection to a server. In the case we’re discussing, the threat actor used Cobalt Strike to deploy ransomware. This allowed the threat actor to go from controlling one computer to five, then ten, and so on exponentially.

 

Planning and Preparation

Because the company had plans in place for situations like this one, Luke and his team were able to move pretty quickly to try to look at the logs, which the threat actor had been clearing. But because the company had a very granular backup program as part of their planning for attacks, Luke and his team were able to find out when the system was compromised.

 

Not Just Malware

Luke is quick to point out that ransomware these days is not someone clicking on a bad link that downloads malware. Threat actors these days are likely to have done a lot of reconnaissance and know user names, passwords, and locations of key systems.

That’s why it’s important to figure out where the threat actor got in, so you can put protection in place to prevent it from happening again, but then can also restore systems from before that entry. If there aren’t backup protocols in place, restoration won’t be a matter of hours or days, but weeks or months.

 

Finding the Source

Luke and his team were initially focused on the corporate domain, because that’s where the most important and sensitive data was. But there was a separate domain that had a legacy environment and protocols on it. Even though the threat actor had been clearing the security logs, after a bit of digging Luke and the team were able to see that there had been a Bloodhound detection.

 

Bloodhound

Bloodhound is an open source project that was released in 2016. It was originally designed for offense: it looks at your setup to determine how big the attack path problem is for your business. You can think of it as a hammer that you can use to hammer nails to help build doors of security. But hammers can also be used to break down doors, and that’s what the threat actor was doing in this case: using Bloodhound to find weaknesses and the fastest paths to gain what they desired.

The use of Bloodhound in this particular case led to the realization of the team that there were local administrative credentials being used (remember the legacy environment we mentioned). Those credentials should have been changed when a new computer system was provisioned, but on the antivirus server that bridged the different domains (legacy vs current) the credentials were not changed. When they followed this path they found that not all the logs at that level had been cleared, which allowed the team to trace back to the original entry point.

 

Six Days Later

Luke had the initial call with the client on Saturday, but it wasn’t until the following Saturday that Tetra was able to come back with answers as to how the threat actor got in, when they got in, and how the company could use their backups to get back up and running. That meant there were six days of hard teamwork (often around the clock) running down leads and trying to follow clues.

 

Be Prepared

While a week seems like a long time, Luke emphasizes that this was actually a short time to restoration because the company had been prepared and followed a predetermined recovery plan. Some of that preparation includes:

  • Having a robust security program
  • Developing an incident response plan which includes how to act and when
  • Incorporating vulnerability management and patching
  • Ensuring ongoing monitoring of systems (this could be a security operation center or a product that’s watching for anomalous activity in your systems and potentially implementing containment steps if an event develops)

Thanks to the work of Luke and his team, the threat actors didn’t get a dime of the $800,000 in Bitcoin they wanted, and more importantly, this vulnerability was shared with Tetra’s clients to make sure that something similar didn’t happen to them as well.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

Disgruntled Former Employees Take Revenge

How it Started

It all started on a Friday morning when employees of a major staffing agency were locked out of an app on their mobile devices that allowed them to clock in and out. This app would track the hours they worked, allowing employees to get paid. The agency would also know how many hours to bill their customers. It’s a simple and paperless solution that works very well…when the technology cooperates.

Because the company was well-established, they also had a paper backup system in place ready to go just for scenarios like this one. However, this system was neither convenient for the hundreds of individuals involved nor guaranteed to be in compliance with different state laws regarding breaks, overtime, etc.

 

The Vendor Refuses to Help

With their client temporarily “fixing” the issue by switching to a paper backup system, the 1Path team started analyzing what had happened in order to fix the problem. Their credentials weren’t working and their first call was to the vendor of the app. They were not helpful. 1Path owned all the licenses for this application, and the vendor essentially said (with a straight face) that they couldn’t be sure that 1Path hadn’t themselves made the changes responsible for the problems affecting their client.

What had happened was that all user profiles had been deleted and only one (newly created) administrator account remained, [email protected]. Given the situation, Armon and Patrick were flabbergasted at the vendor’s attitude. (Especially given the name of the new administrator account, which would indicate an author with bad intent.) While 1Path was trying to solve a problem for one of their own end-users; they also very much considered themselves as an end-user in relation to their vendor. 1Path was definitely not feeling the love, especially given all the business they had done with this vendor over the years.

Given this temporary dead end, 1Path continued to follow its normal policies and procedures for crisis management. They determined that no current, or former, 1Path employee had access to the environment. This allowed them to create a roadmap to help them get the client up and running again.

While 1Path started the process of getting new, properly provisioned, mobile devices shipped out to hundreds of employees all around the country, they were still working with their vendor to find a faster solution.

The vendor finally agreed that they would be willing to release some information if:

  • An email was sent from a personal email address (not a company one)
  • With a signed letter from the CFO of the company

1Path waited for three days then called to follow up. It turned out that there was something in the letter that the vendor didn’t like and they hadn’t bothered to call to tell 1path what it was. 1Path jumped through some hoops to satisfy the vendor and finally got access to their account. They then found emails in the archive from years ago, when the client was first created, and with that, the vendor was finally able to reset 1Path’s account.

 

The Culprits

It turns out that the entire attack was orchestrated by two former employees of the client in question. Some time prior, 1Path had exposed the fact that these employees were spying on the email of the CEO, this had led to their dismissal. They then decided to get their revenge on 1Path and cost their former employer a lot of time and money, and their former colleagues a lot of hassle.

They had probably retained access to, or had a copy of, an administrative password that hadn’t been changed and didn’t require multi-factor authentication.

 

Lessons Learned

The first lesson that 1Path learned was directly related to this security hole. As a result, they implemented a forced password policy (making a user change the password upon login) combined with multi-factor authentication. They didn’t just do this with the client who had suffered the attack, they rolled it out across all their clients.

The password policy change was part of a larger conversation regarding collaboration with customers. Thus explaining the desire to be true partners, which meant abiding by standards that everyone could see would lead to better security. The conversation was also framed in the context that the instigators of the attack seemed to have a collaborative relationship, but “the good guys” didn’t have any collaborative plans in place.

1Path also learned that despite having a “relationship” with their vendor, when the chips were down, that vendor couldn’t be relied upon. The vendor had long contracts written by expensive lawyers ensuring that their liability, in situations like the one above, was almost nonexistent. That has led to 1Path building systems with more backups and redundancies, to make sure that they don’t ever have to rely on a vendor again the way they did in this particular case.

As we said at the beginning of this article, no one expects an IT provider to be perfect. Customers know that at some point there will be a crisis, and it will be in that crisis that a partnership will be tested. 1Path came out of this crisis stronger. They realized where they could improve and adjusted their expectations and policies accordingly.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

Surviving and Learning From Kaseya Cyberattack

When cyberattacks happen, most of us only hear reports from the media about what the FBI might be doing or how the company that was attacked is coping with it. We don’t often get a chance to hear from those on the front lines—from the businesses who were affected or from those who helped those businesses get back up and running.

Luckily, we had just such an opportunity recently, when Jay Tipton, CEO and Owner of Technology Specialists, appeared as a guest on the Cyber Crime Lab Podcast. Jay was one of the 50 managed service providers (MSPs) who were affected and he and his team worked day and night to clean workstations and servers and get his clients back in business.

To better understand what Jay shared, we need to know the facts of the case first.

 

The Kaseya VSA Ransomware Attack

Even those familiar with the basics of technology might not know what Kaseya or VSA mean.

Kaseya is a software company headquartered in Dublin that offers a framework for maintaining and managing IT infrastructure. The products it offers, including one called VSA, are used by MSPs around the world.

Kaseya VSA is a remote monitoring and management (RMM), endpoint management, and network monitoring solution.

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. In the case of this attack, $70M in BTC was demanded by the attackers.

This particular ransomware attack was probably initiated by a gang known as REvil, which injected code into VSA.

 

What it Was Like on the Ground

Jay was at a client’s, working on a laptop, and saw a couple of Microsoft products close themselves before he signed off. He thought it might be a standard program bug. But as he headed back to the office, he spoke to one of his team who told him that multiple client calls coming in to say that their computers were down.

When he got back to the office, Jay saw ransomware on one of the computers and went straight into Technology Specialists’ network operation center (NOC) and literally started pulling plugs and turning things off until he could figure out what was going on.

Over the next few hours, it became clear that all his clients had their data encrypted as part of the attack and he had to fend off angry customers who wanted to hold him accountable.

You go from blaming yourself, to thinking of blaming others, to taking full responsibility, being totally numb, and not being able to do anything,” Jay said. He worked for almost two days straight before collapsing onto one of the company couches. He and his top engineer logged almost 500 hours each in the four weeks that followed.

During this time, two things happened that Jay and his customers had no say in:

  1. Kaseya refused to pay the ransom
  2. The FBI acquired a decryption key that it refused to share with Kaseya

The purpose of this article isn’t to critique either Kaseya or the FBI for their actions (that’s already been done) but to give context to what Jay and his team had to do. In the absence of the decrypt key, Jay offered a simple clean and restore of all the workstations and servers affected. This was an active move, as it meant not waiting for a decrypt key—which would take everything “back to normal”—but instead got companies off on the best foot they could manage with whatever backups they had in place.

Since Technology Specialists was itself affected by the attack, they had to find an old server that had contact information for clients to start making appointments to get the hardware fixed.

When they got started, Jay was overwhelmed by the support from clients and team members who pitched in with help—be it time or food. He even had ex-business partners and employees come in to help.

It took six weeks after the first day of the initial attack for all of Jay’s clients to be fully functional.

 

Prevention?

Jay notes that despite using industry best practices for his clients including two-factor authentication (2FA) on numerous applications, a vulnerability in software was still exploited.  That’s something we have to become increasingly aware of: that despite our best efforts and security measures, it’s likely to be a question not of if but when we deal with a cyberattack that affects us or our businesses.

With that inevitability in mind, Jay and his team have been putting together services that can respond more robustly to future attacks. Jay found that at some points during the attack there was so much information coming in and so little frame of reference to make the right decision, that he simply froze. Unable to make decisions, he wasn’t able to help anyone.

This situation will be remedied in the future. Veterans of the Kaseya attack will fly out by helicopter, if necessary, to more remote clients to help them with the decision-making process that Jay had to struggle with in July and August 2021. As Jay learned, “winning” in this scenario wasn’t about waiting for the authorities to “do something” but about finding a way to communicate with his clients and get a plan of action in place. It was that “can-do” attitude that ensured that Jay kept all but one of his 50 clients, some of whom had been there from the very beginning, in 1998, when Jay started the company. His actions under pressure are a helpful guide for anyone navigating a business crisis, particularly one as traumatic as a cyberattack.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

When Your Dream Employee Turns Out To Be a Foreign Spy

Click here to listen to the full podcast

When we talk about cybercrime, it’s easy to imagine a darkly-lit room filled with hooded hackers typing away, working towards unveiling top-secret information. This Hollywoodian scene plays out easily enough in our heads, but it feels very far away from reality.

 

The truth is this: Cybercrime happens on much smaller levels all the time in the US.

Andy Anderson, CEO of DataStream Insurance, recently sat down with James Turgal, VP of Optiv Inc., a leader in cyber advisory and solutions. Before entering into his current role, James spent 22 years with the FBI. Back in the 1990s, when cybercrime was just beginning, James was responsible for creating a cyber task force.

James was then named Executive Assistant Director for Global Information and Technology and became the FBI’s Chief Information Officer, or CIO. To put it simply, he gets cybercrime.

If you think your company is safe from a data leak or other cybercrime, think again. The upcoming story about one small midwestern manufacturing company will hopefully change your mind. They unknowingly became the victim of one of the biggest cybercrime organizations in the world.

 

The New Hire

It starts like this: A small midwestern manufacturing company with a particular type of intellectual property that they had built themselves decided to hire a new network engineer specialist. Their marketing and HR teams took to social media to find the perfect candidate. They shared information about the company across social networks like Facebook, Instagram, and Twitter. They also began scouting out recruits at local universities in the area.

They found several candidates and eventually settled on one applicant in particular. This guy was a rockstar. He breezed through the interview process and had a bunch of bright ideas that impressed the company, so they hired him. And they gave him access to everything—including their databases and all of their networks.

Fast forward to 18 months later and they find out that the rockstar employee had given all of their precious intellectual property to the Chinese government.

 

How The Leak Happened

It turns out that their new hire was a Chinese intelligence officer who was planted at one of the local universities in order to gain access to this particular intellectual property.

Remember: This is a small to medium-sized manufacturing company in middle America. It’s not related to national security and it has no connection to the defense industrial base. Companies like this one never believe that they’ll be a victim of cybercrime. They don’t think their stuff is important enough to be of interest.

 

So, why were they a target?

China has been implementing what they call “five-year refresh plans” for decades. Mao Zedong, chairman of the Communist Party in China and the founder of the People’s Republic of China, issued the first five-year plan in 1953, which set the stage for the Great Leap Forward in 1958.

The tenet of this plan was to make a major jump from an agrarian to an industrial-based economy. This five-year plan in particular resulted in the loss of over 15 million lives and the deadliest famine in human history.

In 2021, China’s National People’s Congress (NPC) issued the country’s 14th five-year plan. This refresh plan is focused on technology. What’s the easiest way to make such massive changes in such a short amount of time? Steal the information you need. No company is off the table—even a small midwestern manufacturing business.

 

How did they discover the leak?

After a year and a half of being an all-star employee, the new hire just doesn’t show up one day. The company then decided to do an internal audit and they saw that a whole bunch of data had been copied and downloaded.

There is something important to be noted here. The company had the tools in place to monitor what was going on within their networks, but they just weren’t really looking at them. They weren’t paying attention. The alarms were going off but no one was there to hear them.

 

Time to Call the FBI

When the company realized the data leak, the obvious next step was to try to talk to the employee to see what happened. Surprise, surprise, he was nowhere to be found. He was unreachable and likely had already left the country. So they decided to contact the FBI. If you find yourself in the same position, it’s important to get the FBI involved instead of the local police. Local law enforcement usually doesn’t have the tools or the ability to help.

James explains that the FBI has organizations that partner with the private sector for the protection of critical infrastructure in the US. One is called InfraGard, which connects owners and operators within this infrastructure to the FBI’s local cyber squad supervisor. Another is Optiv Inc., James’ company.

These partnerships between the FBI and Chief Security Officers (CSOs) and CIOs in key industries help companies protect themselves from cyber threats. These local divisions of the FBI are then able to monitor how much data is coming in and out of certain companies, and they can alert the CSO or CSI when they suspect there’s a problem.

The FBI tries to give local cyber divisions enough freedom to tackle their own local cases. That said, all of these local squads connect back to the FBI Cyber Division in Washington, and a wealth of information can be gleaned from these seemingly small cases.

 

What You Can Do to Protect Your Company

This story of a small midwestern company that was hacked by China is proof that no business is safe.

You can prepare yourself for an incident like this one by making sure that you always know what’s going on in your networks. You need to know what’s normal so that if you see something that’s off, you can connect directly with the FBI. It’s always better to make the call if you have your suspicions. You never know whether or not you’re part of a larger string of cybercrimes that affects several other companies.

You can also bring in a third party to do a cyber readiness or ransomware readiness assessment. Additionally, you should also always have a plan in place in case of an attack. And that plan should always start with a call to your local FBI division.

 

Conclusion

If one lesson can be learned from all of this, it’s that companies need to take a step back, recognize that cybercrimes can affect any type of company, and come up with a plan to prevent it.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from Datastream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

 

Click here to learn more about how we can help secure your business data!

www.thecybercrimelab.com

Learning More About the Realities of Cyber Attacks

While many people know that cyber attacks happen, they are often less familiar with “what happens next,” or the probabilities of such an attack happening to them or their organizations.

That’s why we started the Cyber Crime Lab Podcast, to shine a much-needed light on cyber crime through the stories of those people who’ve endured what is probably the worst day of their professional lives. We will also hear from the people and organizations who help victims recover from these attacks, and offer practical advice for those who don’t want to be the next chapter in this story.

Join Andy Anderson, CEO and Founder of Datastream Insurance, as he uses his decade-long experience in tech and insurance to break down these issues so you don’t need special qualifications to understand.

We look forward to educating and protecting you!

The Cyber Crime Lab Podcast, powered by DataStream Cyber Insurance

The Cyber Crime Lab Podcast is a show about cybercrime and cybersecurity. We explore the changes coming for the cyber security space, what threats they bring, and what businesses can do when prevention isn’t enough. Host Andy Anderson is a cyber security specialist. He’ll interview experts in the field of cyber security and victims of cyberattacks, providing practical examples and solutions for these new and challenging times.

Audio Video

www.thecybercrimelab.com