During the pandemic HALOCK and the information security community have been responding to a significant spike in cyber security incidents. Threat actors have been using strikingly similar attack patterns to exploit vulnerabilities to remote work environments. We will be providing our newsletter recipients with weekly bulletins to alert you to these common vulnerabilities, and what you should do to address them.
EXFILTRATING REMOTE USER ACCOUNTS TO INJECT RANSOMWARE Incident Summary: Adversaries utilized a phishing campaign to exfiltrate authentication credentials and corporate VPN settings from remote users. Incident led to the organization suffering a significant financial impact after negotiating a Bitcoin payment to recover their data. | |||
DESCRIPTION | VULNERABILITY | ||
Collected authentication credentials and VPN configurations from victims through a phishing campaign. Utilized compromised information to gain access to the internal network. Then, the attacker installed Mimikatz passwords extractor to retrieve Windows service accounts. With the use of an elevated privileged account the malicious user was able to propagate MedusaLocker ransomware on corporate assets. Lastly, a consultant was hired to negotiate the payment and recovery of information. | Office 365 and the corporate VPN solution lacked strong authentication controls. | ||
TESTING FOR THE VULNERABILITY | MITIGATING THE VULNERABILITY | ||
End-users utilize only a username and password to authenticate for Office 365 and the corporate VPN solution. | Implement multi-factor authentication (MFA) to prevent adversaries from performing replay attacks on remote services with compromised accounts. | ||
WHAT YOU MUST DO NOW
|
CONTACT YOUR PREFERRED HALOCK TEAM MEMBER FOR MORE COMPREHENSIVE ADVICE
If you are concerned that your recent configurations to support a remote work force have exposed you to correctable vulnerabilities, please directly contact your preferred HALOCK team member. We can walk you through a more comprehensive list of vulnerabilities that we are seeing in the field. If you do not have a preferred HALOCK team member, contact us here and select “Secure Home-to-Office Transition Discussion” as your Area of Interest. We will have a HALOCK team member reach out to you to schedule a call.
After having responded to so many breaches these past few weeks we cannot stress enough how important it is to adopt expected security practices as we proactively prepare for phase 2 of this pandemic, as well as the return to the office.
CYBER SECURITY SERVICES TO MITIGATE YOUR RISKS
HALOCK also provides the following services to help our clients prevent these types of attacks
- Security Awareness Training
- Threat Monitoring Services
- VPN Architecture Assessment
- Incident Reponse Services including IR Planning and training
HALOCK Threat Monitoring Partner Solutions
- Sophos Endpoint Protection
- Carbon Black Cloud-native Endpoint Protection
- Duo Security Multi-Factor Authentication Services
Keep safe and stay secure.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security strategies, third-party risk management, risk assessments, penetration testing, security management and architecture reviews, and HIPAA, Privacy, & PCI compliance, incident response and forensics throughout the US.