Kaspersky: Do not become like John

Kaspersky's incident response team detected, investigated and later prevented an attack on its client organization that took place from 2017 through 2019 and resulted in a major leak of confidential data. THE ς ενός τοπικού διαχειριστή παραβιάστηκε λόγω αμέλειάς του να αλλάζει τακτικά τον κωδικό πρόσβασης.

This allowed attackers to break into the system, breach a number of workstations, create a backdoor, and collect data unnoticed.

Kaspersky

Κάθε οργανισμός, από μικρές μέχρι μεγάλες επιχειρήσεις, είναι επιρρεπής σε κυβερνοεπιθέσεις, ανεξάρτητα από την επιδεξιότητα της εταιρείας ή τα προσόντα της ομάδας ασφάλειας πληροφοριών, απλά λόγω του ανθρώπινου παράγοντα. Το τελευταίο αυτό περιστατικό που χειρίζονται οι ειδικοί της Kaspersky αποδεικνύει για άλλη μια φορά ότι ακόμη και το ελάχιστο δείγμα ανευθυνότητας από έναν εργαζόμενο μπορεί να οδηγήσει σε μια επίθεση που μπορεί να προκαλέσει σημαντική βλάβη σε έναν οργανισμό.

The client, a large company, approached Kaspersky's investigators after detecting suspicious processes in the corporate network. Subsequent investigation revealed that the system had been compromised through the account of the local administrator (adm_Giannis), which was used to load a malicious dynamic library and later to steal data from the system. While it remained unclear how the administrator account was initially compromised, user inaction allowed the attack to persist for such an extended period of time. The administrator kept the password unchanged for the duration of the attack, instead of renewing it every three months - as recommended by the company's security policy. This gave the attackers consistent access to the target systems and resulted in the leak of thousands of confidential files.

To learn more about the attack and reduce the damage already caused by the criminals, the target organization and Kaspersky's security team decided to monitor the cybercriminals' activities instead of stopping them immediately. THE helped identify that various organizations' systems were at risk from 2017 through 2019.

The attackers entered the system using the administrator account and uploaded malicious files directly to the network. The files include a dynamic library, as well as downloaders and a backdoor. These malicious ones were hidden in the system through a modification of desktop, start menu and taskbar shortcuts. After the modification, when they clicked on the shortcut, a malicious file was launched before the original application executable, which allowed cyber attackers to hide suspicious activity from the organization's security system.

The way in which the backdoor was used – to allow full access to the "infected" system – presented the greatest interest to the client and the researchers. Further analysis showed that it started several and search for files using keywords and extensions. It also kept track of the metadata from the files that had been "downloaded" at a previous stage. It's worth noting that the backdoor was created specifically for this attack, with no other instances of its use being identified for over a year. Additional monitoring also allowed the organization to learn how systems were breached and how shortcuts were modified to malicious files and build a large number of indicators for this particular attack.

"This case has shown that co-operation within the industry remains more important than ever, as it helps to gain valuable knowledge, prevent similar attacks and continue the fight against cybercrime more effectively. "As criminals become more creative in their tactics and techniques, we need to expand the work we do together to be able to detect threats at an early stage and protect users and organizations," said Pavel Kargapoltsev, a security expert. in Kaspersky.

More information can be found on the dedicated website Securelist.com.

To protect the organization from targeted attacks like this, Kaspersky recommends:

Use MITRE ATT & CK matrix and STIX format to detect attacks in the early stages.
Apply EDR (Endpoint Detection and Response) solutions for end-level detection, investigation and timely remediation of incidents.
In addition to adopting effective terminal protection, implement a corporate-level security solution that detects advanced network-level threats at an early stage.
Apply for specialists outside the company if your internal security team is limited in resources to pre-emptively chase opponents and destroy threats before damage occurs.
Introduce awareness training for all employees.

Note: all names and identities have been changed to protect the privacy of individuals and organizations.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).