Description

BHI Energy, a Massachusetts-based US energy services firm issued a data breach notification on October 18 about a recent data breach and subsequent ransomware attack. BHI Energy provides specialty services and staffing solutions for the energy industry. BHI Energy’s internal IT team first detected the encryption phase of the breach on June 29, 2023. Further investigation revealed that the attackers, a ransomware group named Akira, initially accessed the network on May 30, 2023, using an account compromised of a third-party contractor. This account enabled them to establish a VPN connection that allowed them to perform extensive network and data reconnaissance. Evidence showed that the group began exfiltrating data on June 18th. Some of the information included in the 690 GB of stolen data included the personal identifiable information of its present and former employees, as well as the company’s entire Active Directory database. Some of the stolen employee data included names, birth dates, social security numbers (SSN) and health information. On June 29th, the gang began encrypting the data at which point the company learned of the attack.


Identify Indicators of Compromise (IoC)

While BHI failed to identify the early stages of the attack, they were able to quickly identify the encryption phase of the attack, allowing the IT team to isolate the systems under attack and curb the attack from further propagation.


Actions Taken (If IOCs are identified)

Upon detecting the breach, BHI took immediate action and brought in an outside forensic consultant to take charge of eradicating the attack and recover all the involved systems. Additionally, they enlisted outside legal counsel to guide specific facets of their incident response plan, and informed law enforcement. The internal IT team was able to recover all the encrypted data without paying a ransom, thanks to the company’s backup system. As further protective measures, the team reset passwords across all enterprise accounts, expedited the rollout of an Endpoint Detection and Response (EDR) solution already in progress, retired obsolete systems, and instituted multifactor authentication (MFA) for their VPN platform.


Prevention (If IOCs are identified)

VPN accounts and other remote access solutions must extend beyond mere password protection and incorporate multifactor authentication (MFA). Many modernized VPN platforms utilize mobile security tokens that can be pushed to a smartphone authenticator app assigned to the designated user. A periodic inventory audit of all remote access accounts should be taken at regular intervals to determine if those accounts should still be active. Engaging with external contractors and third-party entities to verify the usage of allocated remote accounts is especially important. Establish security policies that adhere to the principle of least privilege (PoLP), ensuring VPN accounts access only the necessary network sections pertinent to their tasks.

To further fortify a company’s active directory infrastructure, it’s essential to house Domain Controllers within specialized subnets that are shielded by stringent policies to segregate them from the broader network. It is also important to deactivate any superfluous services on AD servers and consistently update them with the latest security patches. Organizations should minimize the number of domain and enterprise admin accounts and ensure they remain separate from individual user accounts.