A Month In Breaches: May

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

TOLL GROUP COMPROMISED DATA DUMPED ON DARK WEB

Toll group was infected by ransomware earlier this February and that attack proved to be costly for the company to get back on its feet. Now, another strain of ransomware named ‘Nefilim’ has hit Toll group this month. This has led the company to shut down its IT systems and servers to contain the infection. It was also discovered that the perpetrators who were responsible for inflicting the ransomware have also leaked about 200GB corporate data on the Dark Web. Hackers had exfiltrated the data from Toll’s corporate server which contained employee information and details of commercial agreements with some of its current and former enterprise customers.

The ransomware that hit Toll Group is named as Nefilim which targets open Remote Desktop Servers and Protocol exposed to the internet. The hackers gain access through vulnerable RDP servers and later spread their attack once they gain a foothold on the network. Nefilim is also a relatively new strain of malware. To mitigate such happenings, it is advised that the employees are educated about phishing emails and the risk it carries. Having a business continuity plan once any cyber breach occurs is also essential for the smooth functioning and transition of the organisation during a breach. Also, keeping all systems up to date by applying software patches greatly reduces the risk of ransomware.

BLUESCOPE STEEL HIT BY RANSOMWARE

BlueScope Steel which is one of the oldest steel manufacturers in Australia was hit by a ransomware this month. The ransomware hit the servers situated in the United States. The strain of ransomware that hit the company is still not named by officials of BlueScope. However, it is believed that one or more employees could have opened malicious emails which in turn could have compromised the network. The officials confirmed that this resulted in halt of the digital production operations of the company.

Ransomware infections are causing havoc to business around the globe and it is considered as one of the serious cyber security threats. A business should always be ready to combat this threat. It is identified that majority of ransomware infections has its source from an employee clicking a malicious email. Thus, it is highly essential for an organisation to have its email gateway setup and updated to block any suspicious emails before it reaches the employee. Employ network segmenting across the organisation. The hacker when compromises a machine would always want to move laterally across the network to compromise more machines and finally reach critical devices like servers. CTRL Group also urges organisations to have an effective backup strategy as having secure and up-to-date backups of all critical business information is the best form of defence against ransom attacks.

CRAFTY PHISHING ATTACK BYPASSES MFA ON O365

A new phishing campaign has the ability to bypass multi-factor authentication (MFA) of Microsoft’s Office 365 to gain access to the victim’s data stored on the cloud. Researchers at Cofense Phishing Defense Centre has found that attackers leverage the OAuth2 framework and OpenID Connect (OIDC) protocol and makes use of a maliciously crafted SharePoint link to trick users into granting permissions to a rogue application which can bypass MFA. If successful, the most basic attack can steal all the victims’ email and access cloud-hosted documents containing confidential information. This attack can be further enhanced by leveraging this confidential information for a bitcoin ransom. The most concerning part of the attack is that the attacker can gain refresh tokens which require them to authenticate just once.

Phishing attacks are at an all-time high. Researchers have found that URL used for phishing can reveal the bad intentions of the attackers but this is not easily noticed by people other than strong technical experience, hence it is vital to educate the employees about such scenarios and make them aware of the side effects of clicking a malicious link and entering their credentials or other sensitive information. Up to date email filters and properly configured firewalls can also be helpful in some cases and can drop the suspicious emails before even reaching the user’s inbox

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK