Industrial cybersecurity firm Dragos today disclosed what it describes as a “cybersecurity function” after a recognized cybercrime gang tried to breach its defenses and infiltrate the interior network to encrypt devices.
Although Dragos states that the menace actors did not breach its network or cybersecurity system, they bought access to the firm’s SharePoint cloud assistance and contract management process.
“On May well 8, 2023, a identified cybercriminal group attempted and failed at an extortion plan against Dragos. No Dragos devices were being breached, which include anything connected to the Dragos Platform,” the corporation reported.
“The felony group acquired entry by compromising the particular electronic mail tackle of a new sales personnel prior to their get started day, and subsequently employed their personalized info to impersonate the Dragos staff and achieve original methods in the worker onboarding system.”
Soon after breaching Dragos’ SharePoint cloud system, the attackers downloaded “normal use info” and accessed 25 intel experiences that had been typically only obtainable to prospects.
In the course of the 16 hours they experienced accessibility to the employee’s account, the threat actors failed to also accessibility various Dragos systems—including its messaging, IT helpdesk, economic, request for proposal (RFP), personnel recognition, and internet marketing systems—due to position-based access regulate (RBAC) principles.
After failing to breach the company’s interior community, they despatched an extortion e-mail to Dragos executives 11 several hours into the assault. The message was examine 5 hrs afterwards simply because it was despatched outside the house enterprise hrs.
5 minutes immediately after reading the extortion concept, Dragos disabled the compromised person account, revoked all lively sessions, and blocked the cybercriminals’ infrastructure from accessing business assets.
“We are assured that our layered stability controls prevented the menace actor from accomplishing what we think to be their primary aim of launching ransomware,” Dragos explained.
“They were also prevented from accomplishing lateral motion, escalating privileges, developing persistent access, or generating any variations to the infrastructure.”
The cybercrime team also tried to extort the firm by threatening to publicly disclose the incident in messages despatched by means of general public contacts and private e-mails belonging to Dragos executives, senior employees, and their household members.
“Though the exterior incident response agency and Dragos analysts come to feel the celebration is contained, this is an ongoing investigation. The info that was lost and very likely to be produced public mainly because we chose not to spend the extortion is regrettable,” Dragos stated.
The criminals definitely grew pissed off for the reason that we never attempted to get in touch with them. Spending was never ever an possibility. They continued to simply call me, threaten my household, and the family members of quite a few of our staff members by their names. We hope sharing this can support other companies get ready.
— Robert M. Lee (@RobertMLee) Could 10, 2023
1 of the IP addresses mentioned in the IOCs (144.202.42[.]216) was formerly spotted hosting SystemBC malware and Cobalt Strike, both normally utilized by ransomware gangs for distant entry to compromised techniques.
CTI Researcher Will Thomas from Equinix instructed BleepingComputer that SystemBC has been made use of by various ransomware gangs, like Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Enjoy, building it challenging to pinpoint what risk actor is driving the attack.
Thomas reported that the IP tackle has also been found utilised in current BlackBasta ransomware attacks, maybe narrowing down the suspects.
A Dragos spokesperson mentioned they’d reply later on when BleepingComputer attained out for additional information on the cybercrime team at the rear of this incident.