Industrial cybersecurity enterprise Dragos these days disclosed what it describes as a “cybersecurity party” soon after a recognized cybercrime gang tried to breach its defenses and infiltrate the inside community to encrypt equipment.
Whilst Dragos states that the threat actors did not breach its community or cybersecurity platform, they acquired obtain to the firm’s SharePoint cloud service and agreement administration technique.
“On May 8, 2023, a recognized cybercriminal team attempted and unsuccessful at an extortion scheme from Dragos. No Dragos methods were being breached, together with anything connected to the Dragos Platform,” the corporation explained.
“The legal team attained accessibility by compromising the individual electronic mail deal with of a new product sales staff prior to their start off day, and subsequently employed their particular data to impersonate the Dragos employee and achieve initial methods in the employee onboarding course of action.”
Just after breaching Dragos’ SharePoint cloud platform, the attackers downloaded “standard use data” and accessed 25 intel experiences that had been normally only readily available to consumers.
Throughout the 16 hrs they experienced accessibility to the employee’s account, the danger actors unsuccessful to also entry various Dragos systems—including its messaging, IT helpdesk, fiscal, ask for for proposal (RFP), employee recognition, and advertising systems—due to purpose-dependent entry command (RBAC) regulations.
Following failing to breach the firm’s internal network, they sent an extortion e-mail to Dragos executives 11 hours into the attack. The information was browse 5 several hours later on due to the fact it was despatched outside the house enterprise hours.
5 minutes following looking through the extortion concept, Dragos disabled the compromised user account, revoked all active sessions, and blocked the cybercriminals’ infrastructure from accessing organization resources.
“We are self-confident that our layered safety controls prevented the menace actor from carrying out what we feel to be their primary aim of launching ransomware,” Dragos stated.
“They were being also prevented from accomplishing lateral movement, escalating privileges, developing persistent accessibility, or producing any adjustments to the infrastructure.”
The cybercrime group also attempted to extort the company by threatening to publicly disclose the incident in messages sent by way of public contacts and personal e-mail belonging to Dragos executives, senior personnel, and their family customers.
“Even though the exterior incident reaction company and Dragos analysts sense the party is contained, this is an ongoing investigation. The data that was dropped and likely to be made public simply because we chose not to pay out the extortion is regrettable,” Dragos claimed.
The criminals naturally grew frustrated due to the fact we hardly ever tried to contact them. Paying was never an choice. They ongoing to get in touch with me, threaten my relatives, and the family members of lots of of our workforce by their names. We hope sharing this can support other organizations get ready.
— Robert M. Lee (@RobertMLee) May possibly 10, 2023
One of the IP addresses shown in the IOCs (144.202.42[.]216) was beforehand spotted hosting SystemBC malware and Cobalt Strike, both frequently employed by ransomware gangs for remote access to compromised programs.
CTI Researcher Will Thomas from Equinix told BleepingComputer that SystemBC has been made use of by several ransomware gangs, such as Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Enjoy, earning it hard to pinpoint what danger actor is guiding the attack.
Thomas said that the IP handle has also been found utilized in new BlackBasta ransomware attacks, potentially narrowing down the suspects.
A Dragos spokesperson mentioned they’d reply later on when BleepingComputer attained out for more aspects on the cybercrime group powering this incident.