Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Dragos. Show all posts

Dragos Hacked: Cybersecurity Firm Reveals “Cybersecurity Event”, Extortion Attempt


Industrial cybersecurity company Dragos  recently revealed a “cybersecurity event,” where a notorious cybercrime gang attempted to breach Dragos' defenses and access the internal network to encrypt devices.

The firm disclosed the incident on its blog on May 10, alleging that it took place on May 8 where hackers acquired access to SharePoint and the Dragos contract management system by compromising a new sales employee's personal email address before the employee's start date. The hacker then impersonated the employee to complete the first steps of Dragos' employee-onboarding procedure using the stolen personal information from the hack.

After infiltrating Dragos’ SharePoint cloud platform, the hackers apparently downloaded “general use data” and access 25 intel reports, generally only made available to the customers.

“Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure[…]No Dragos systems were breached, including anything related to the Dragos Platform,” the company noted. 

Due to role-based access control (RBAC) regulations, the threat actors were unable to access several Dragos systems during the 16 hours they had access to the employee's account, including its messaging, IT helpdesk, finance, request for proposal (RFP), employee recognition, and marketing systems.

Eleven hours into the attack, after failing to break into the company's internal network, they sent an email of extortion to Dragos executives. Because the message was sent after business hours, it was read five hours later.

Five minutes into reading the extortion message, Dragos disabled the compromised user account, terminated all open sessions, and prevented the hackers' infrastructure from accessing company resources.

The cybercriminal group also attempted to extort the firm by threatening to make the issue public in emails sent to CEOs, senior employees, and family members of Dragos who have public contacts.

One of the IP addresses specified in the IOCs is 144.202.42[.]216, earlier discovered hosting SystemBC malware and Cobalt Strike, both frequently used by ransomware gangs for remote access to compromised systems.

"While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.   

Latest Activity in Dragos Tracked Activity Groups

 

This year, Dragos is working on three new Activity Groups, as well as discovering activity in three existing Activity Groups: KAMACITE, WASSONITE, and STIBNITE. As per the sources, the updates on the three AGs mentioned above are as follows:

KAMACITE: KAMACITE, which has been operating since 2014, has been linked to Russian military intelligence operations by many government and third-party groups. GREYENERGY, a modular malware and the successor to BLACKENERGY, is used by KAMACITE. GREYENERGY is linked to two different dropper variants. Dragos discovered two GREYENERGY dropper variations in the wild this year, one in March 2021 and the other in August 2021. Dragos believes that GREYENERGY could add ICS components in the future because of the modular structure, which is comparable to BLACKENERGY. The GREYENERGY dropper completes Stage 1: Install/Modify of the ICS Cyber Kill Chain. 

STIBNITE: In their 2020 campaigns, STIBNITE targeted wind turbine system firms in Azerbaijan. STIBNITE targeted Azerbaijani-speaking industry experts, researchers, and practitioners in the disciplines of environmental science, technology, and engineering in their February 2021 campaigns. With an Oil and Gas spearphishing lure, they continued to attack Azerbaijan government entities in March 2021, notably the Azerbaijan Ministry of Ecology and Natural Resources. Malwarebytes released a report revealing spearphishing activity targeting an Azerbaijan government institution utilising a State Oil Company of the Azerbaijan Republic (SOCAR) spearphishing lure. 

Dragos concluded that STIBNITE is linked to this activity with a high degree of confidence. The recipient of this spearphishing offer may unwittingly execute a macro in the document, resulting in the installation of a new Python version of PoetRAT. Dragos has documented the fifth variant of PoetRAT. The persistence approach used in this version of PoetRAT is identical to that used in earlier versions. This campaign's C2 infrastructure overlaps with previous STIBNITE campaigns. 

WASSONITE: Multiple victims in the Oil and Gas, Electric, and Component Manufacturing industries were detected connecting with a WASSONITE C2 server related to the Appleseed backdoor in June 2021, as per Dragos. Appleseed is a multi-component backdoor that can capture screenshots, log keystrokes, and gather information from removable media and specific victim documents. From the C2 server, it can also upload, download, and perform follow-on tasks. WASSONITE previously used DTRACK to infect the Indian nuclear power plant Kudankulam Nuclear Power Plant (KKNPP). 

Dragos found and evaluated two Appleseed backdoor variants. From the C2 server, it can also upload, download, and perform follow-on tasks. Dragos investigated Appleseed's network connection mechanism and discovered a hardcoded IP address for the C2 domain. Dragos then shifted his focus to network telemetry, discovering many victims in three ICS businesses that were connecting with the WASSONITE C2 server, which was linked to Appleseed infections. 

Dragos assess that the Appleseed backdoor infected five ICS verticals with moderate confidence. Dragos had previously discovered WASSONITE tools and behavior aimed at a variety of ICS institutions, including electric generation, nuclear energy, manufacturing, and space-centric research companies. 

VANADINITE: In July, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an alert about a People's Republic of China (PRC) state-sponsored campaign targeting US oil and natural gas firms between 2011 and 2013. 

The US Department of Justice has issued indictments linking VANADINITE-related operations to operators working for the People's Republic of China (PRC). Dragos hunters have noticed more recent activity in this AG, but no details are available at this moment as investigations into this activity continue.