On January 27, 2021, news broke from Europol that a collaborative effort had effectively taken down and disrupted one of the most significant botnets in the past decade – Emotet. This global action and collaborative initiative incorporated authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, [...]
Org2 is a specialist technology company based
in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider
that a copy of password stealing
malware had been found on three of its domain controllers. This was a serious
incident, and an investigation was immediately
launched.
The investigation found that a regular user
had opened a phishing email that contained
a link to a malicious site. Examination of the payload found that it hosted an
exploit for what was, at the time, a novel remote code execution vulnerability
(0-day) in Adobe Flash.
The payload dropped by the exploit had gained high privileges on the user’s machine and disabled antivirus, which is a common technique used by malware. The disabled antivirus was flagged by the centralizedAV monitoring in Org2, and so a support call was automatically placed. The administrator had then logged into the machine to understand why the AV was not functioning whereby their domain credentials were stolen.
The attacker had then attacked the internal
network, including the domain controllers using the stolen credentials. As part
of their attacks, they had installed credential stealing malware on the domain controllers and gained large
numbers of plaintext credentials.
Although a patch from Adobe
was relatively quick to be published, Org2 had a period of exposure were there
were no patches available and managed this through user awareness, stripping
links from email and ceasing the practice of logging onto user systems with
domain credentials.
Specific Failures Leading to
Compromise
Flash installed on user PC with no business case for its use
Administrator interacting with a suspect machine whilst using a domain account
Users insufficiently aware of risks of links in emails
Attack Timeline
Targeting to Compromise
6 weeks (from domain registration & setup)
Compromise to Exfiltration
4 days
Compromise to Discovery
4 days
Method of Discovery
Internal – AV triggering on malware found on DCs
Threat Actor
External – highly targeted
Assets Compromised
End user system, Domain Credentials, Domain Controllers
Cyber criminals are relentless and very creative, they will gladly exploit any cyber weakness that appears within a company. For Paytm, this couldn’t be truer. As a financial technology company operating a worldwide online payment system, there is no lack [...]
Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation was immediately launched. The investigation ...
Cyber criminals are relentless and very creative, they will gladly exploit any cyber weakness that appears within a company. For Paytm, this couldn’t be truer. As a financial technology company operating a worldwide online payment system, there is no lack of criminals planning and attempting to target the organization due to its nature. Having the ...