During the pandemic HALOCK and the information security community have been responding to a significant spike in cyber security incidents. Threat actors have been using strikingly similar attack patterns to exploit vulnerabilities to remote work environments. We will be providing our newsletter recipients with weekly bulletins to alert you to these common vulnerabilities, and what you should do to address them.

 

EXFILTRATING REMOTE USER ACCOUNTS TO INJECT RANSOMWARE

Incident Summary: Adversaries utilized a phishing campaign to exfiltrate authentication credentials and corporate VPN settings from remote users. Incident led to the organization suffering a significant financial impact after negotiating a Bitcoin payment to recover their data.

DESCRIPTIONVULNERABILITY
Collected authentication credentials and VPN configurations from victims through a phishing campaign. Utilized compromised information to gain access to the internal network. Then, the attacker installed Mimikatz passwords extractor to retrieve Windows service accounts. With the use of an elevated privileged account the malicious user was able to propagate MedusaLocker ransomware on corporate assets. Lastly, a consultant was hired to negotiate the payment and recovery of information.Office 365 and the corporate VPN solution lacked strong authentication controls.
TESTING FOR THE VULNERABILITYMITIGATING THE VULNERABILITY
End-users utilize only a username and password to authenticate for Office 365 and the corporate VPN solution. 

Implement multi-factor authentication (MFA) to prevent adversaries from performing replay attacks on remote services with compromised accounts.

WHAT YOU MUST DO NOW

  • Apply MFA to VPN accounts as soon as possible.
  • Apply MFA to O365 as soon as possible.
  • Deploy anti-exploit monitoring modules to endpoint protection solutions
  • While switching critical security services, such as network filtering at firewalls and routers, monitoring at SIEM devices and sensors, etc. Let the old and new services overlap. DO not allow a gap between the old and new services.

 

CONTACT YOUR PREFERRED HALOCK TEAM MEMBER FOR MORE COMPREHENSIVE ADVICE

If you are concerned that your recent configurations to support a remote work force have exposed you to correctable vulnerabilities, please directly contact your preferred HALOCK team member. We can walk you through a more comprehensive list of vulnerabilities that we are seeing in the field. If you do not have a preferred HALOCK team member, contact us here and select “Secure Home-to-Office Transition Discussion” as your Area of Interest. We will have a HALOCK team member reach out to you to schedule a call.

After having responded to so many breaches these past few weeks we cannot stress enough how important it is to adopt expected security practices as we proactively prepare for phase 2 of this pandemic, as well as the return to the office.

CYBER SECURITY SERVICES TO MITIGATE YOUR RISKS

HALOCK also provides the following services to help our clients prevent these types of attacks

HALOCK Threat Monitoring Partner Solutions

  • Sophos Endpoint Protection
  • Carbon Black Cloud-native Endpoint Protection
  • Duo Security Multi-Factor Authentication Services

Keep safe and stay secure.

HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security strategies, third-party risk managementrisk assessmentspenetration testingsecurity management and architecture reviews, and HIPAAPrivacy, & PCI complianceincident response and forensics throughout the US.