Dragos Worker Hacked, Revealing Ransomware, Extortion Scheme

One may argue that safety firms must be extra ready than most organizations to defend in opposition to a cyberattack. That was the case at Dragos not too long ago, when a recognized ransomware group tried, however failed, to extort cash from the safety vendor in a socially engineered assault that occurred after it compromised a brand new worker’s private e-mail account.

The assault occurred Might 8, with attackers having access to SharePoint and the Dragos contract administration system by compromising the private e-mail handle of a brand new gross sales worker previous to the particular person’s begin date, the corporate revealed in a weblog put up on Might 10. The attacker then used stolen private info from the hack to impersonate the worker and achieve preliminary steps in Dragos’ employee-onboarding course of.

Dragos’ swift response prevented the menace group from attaining its goal — the deployment of ransomware — or to interact in additional exercise, comparable to lateral motion, escalating privileges, establishing persistent entry, or making modifications to any Dragos infrastructure, the corporate mentioned.

“No Dragos programs had been breached, together with something associated to the Dragos Platform,” in accordance with the put up.

Nonetheless, the attackers did not cease there. As soon as the group’s preliminary compromise and ransomware technique was unsuccessful, it rapidly “pivoted to trying to extort Dragos to keep away from public disclosure,” the corporate mentioned. Attackers did this by sending a flurry of messages to Dragos executives that threatened to disclose the assault publicly in the event that they weren’t paid off.

In a creepy twist, the group even went as far as to get private within the messages, making references to the relations and private contacts of Dragos staff, in addition to sending emails to the private accounts of senior Dragos staff to elicit a response.

The corporate in the end determined that “one of the best response was to not have interaction with the criminals,” and managed to comprise the incident, in accordance with the put up.

Nonetheless, Dragos acknowledged a knowledge loss that can possible end in a public leak of knowledge as a result of the corporate selected to not pay a ransom, which is “regrettable.” Nonetheless, the corporate sticks by its determination to not have interaction or negotiate with cybercriminals, it mentioned.

Selling Cyber Transparency

It is not typically that safety firms reveal assaults that they expertise, however Dragos mentioned that it determined to take action for example of the way to defuse a safety breach earlier than it causes vital harm. Additionally, it wished to “assist de-stigmatize safety occasions,” the corporate wrote within the put up.

Certainly, as safety incidents have confirmed again and again, no firm — not even ones that appear firmly locked down is secure from assault, significantly with the present degree of attackers’ cleverness and class when utilizing social engineering techniques, in accordance with one safety skilled.

In truth, the Dragos narrative “is among the uncommon tales the place you hear a couple of actually crafted social engineering try and a fast discovery which led to minimal harm,” Roger Grimes, data-driven protection evangelist at safety agency KnowBe4, wrote in an emailed assertion.

The incident ought to drive consciousness to “the very energetic social-engineering scams which can be occurring within the hiring area” specifically, he wrote. In truth, not each firm is so fortunate, nor defends itself so nicely, Grimes famous.

“There are additionally many tales of employers hiring faux staff who existed solely to steal and rip-off from their employer, faux staff who really did not know their job and simply collected paychecks till they had been fired, and scams the opposite manner the place reputable job seekers had been scammed whereas searching for employment,” he says.

Response & Inside Mitigation Is Key Throughout a Cyberattack

Whereas an investigation into the incident is ongoing, Dragos was in a position to stop a extra severe assault attributable to swift response and a layered safety strategy by the corporate, which ought to present a blueprint for others, in accordance with the put up.

The corporate investigated alerts in its company safety info and occasion administration (SIEM) and blocked the compromised account, in addition to activated its incident response retainer with a service supplier, and engaged a third-party monitoring, detection and response (MDR) supplier to handle incident-response efforts.

“Verbose system exercise logs enabled the speedy triage and containment of this safety occasion,” the corporate mentioned.

To keep away from related assaults sooner or later, the corporate mentioned it has added a further verification step to additional harden its new-employee onboarding course of to make sure that the method used within the assault will not be repeated.

Furthermore, since each thwarted entry try was attributable to multistep entry approval, Dragos is also evaluating the enlargement of this technique to different programs primarily based on how vital they’re.

Cyber-Resilience Recommendation for Different Organizations

Dragos additionally made some suggestions for different organizations to assist keep away from the same assault state of affairs. The corporate suggested that the hardening of id and entry administration infrastructure and processes is in the end a baseline linchpin for each group in search of cyber resilience. And it is a good suggestion to implement separation of duties throughout the enterprise so nobody particular person has full run of the setting.

Organizations additionally ought to apply the precept of least privilege to all programs and providers, and implement multifactor authentication wherever potential, the corporate mentioned.

Different steps for avoiding the same worker compromise like Dragos suffered embody making use of specific blocks for recognized unhealthy IP addresses, and scrutinizing incoming emails for typical phishing triggers, together with the e-mail handle, URL, and spelling.

Lastly, organizations general ought to make sure that steady safety monitoring is in place, with examined incident response playbooks prepared in case an assault does happen, in accordance with Dragos.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles