Dragos cybersecurity company, alerts about cybersecurity breach, and extortion attempt on the 10th May 2023. The cybersecurity company disclosed that a group of cybercriminals attempted to breach their defense’s, and cause possible damage to their internal network by encrypting devices.
Image source: BleepingComputer
Although Dragos stated that the threat actors weren’t successful in their attempt on their network or any cybersecurity platform-however the attackers where able to have access to the organization’s SharePoint cloud service and contract management system.
According to the company:
“On may 8th 2023, a group of known criminals attempted and failed at an extortion scheme against Dragos. No Dragos systems where compromised, inclusive of all platform related to Dragos.”
Furthermore, they stated that:
“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.”
The attackers after breaching the SharePoint platform, proceed to download “general use data” containing intel reports available to Dragos customers, and 25 intel reports were accessed by these threat actors.
It is noted that the attackers had access to the employees account withing a 16-hour duration, however they were unsuccessful in an attempt to access multiple systems (It-helpdesk, messaging platforms, financial request for proposal (RFP), employee recognition, and marketing systems), due to RBAC (Role Based Access Control) rules, on the Dragos network.
Incidence Response timeline Dragos
Image source: BleepingComputer
WHAT HAPPENED NEXT ?
The failure by the attackers attempt to breach the company’s internal network, forced them to take another attempt known as extortion. The attackers within a period of 11-hours of the attack sent an email, however the email was read 5-hours later as a result of the email being sent by the attackers outside business operation hours.
The company’s cybersecurity team took a drastic measure to disable affected users account upon getting the email immediately. All active sessions were revoked and the cybercriminals system were blocked from having persistent to the company resources.
Information from the company stated:
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”
The threat actor group also made an attempt to extort the company by pushing a threat to disclose the incident in messages to be sent via public contacts and private emails belonging to Dragos executives, senior employees, and relatives.
Dragos went further to push a disclaimer:
“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we choose not to pay the extortion is regrettable.”
Image source: twitter
The IP address listed in the IOCs (Indicator of Compromise) Ip-address: 144.202.42[.]216, was found in the SystemBC malware and Cobalt strike database, both known to be used by ransomware groups for gaining remote access to compromised systems.
“According to CTI research from Equinix Will Thomas, to BleepingComputer that SystemBC has been used by numerous ransomware gangs, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Play which makes it difficult to trace the threat actors that are responsible for the attack.”
The IP address has also been seen in recent BlackBasta ransomware attacks, which makes it easier to narrow the chances of tracking the suspects.
Please do let us know in the comment section what are your thoughts about this.