Cyber Security company Crowdstrike recently reviewed an incident in 2018 which involved a corporate laptop being compromised at a coffee shop when outside of their clients corporate offices. This incident was part of Crowdstrike's Cyber Intrusion Services Casebook for 2018 and details how this incident occurred. This is a fantastic case study for how easily devices can be compromised and lead to a company wide intrusion that has the potential to cost millions in damages and adversely effect the company itself.
Anatomy of the Attack
In 2018 a corporate laptop was used at a coffee shop over the weekend by one of the firm's employees. They attempted to visit one of the firm's partner sites which is what kicked off the chain of events that led to the overall breach of his company's network. The employee was directed to that site by a phishing email, and the site had been compromised by a malicious variant of software called FakeUpdates, which is a social engineering campaign that effects thousands of WordPress and Joomla based sites (WordPress and Joomla are web building frameworks that are very popular among web designers today).
This type of malware shows user pop-ups which claim their browser software needs to be updated. This time, the laptop was infected by more malicious software called 'Dridex Banking Trojan' and a series of Power Shell scripts used to exploit the Windows OS.
Because the firm's security software relied on the devices being used inside of the corporate network, the device was not effectively defended by the malicious software until it was too late. When the laptop was brought back to the office, it served as an entry point for the attackers to compromise the corporate network, allowing them to use the PowerShell exploit to gain access to multiple systems by taking advantage of the user's permissions.
By using a program called Mimikatz, the hackers were able to elevate their permissions to gain access to servers and move further along the network. Local administrator privileges made it easier for the attackers to access multiple endpoints through just one account that linked them all together. Once access to the domain was gained, the organization was left completely exposed. The hackers were then able to install malicious software at will resulting in them stealing hundreds of credit card numbers, and netting the group millions of dollars in illicit gains.
How Can You Defend Against Attacks
In cases like the one described above, prevention is key. The infected laptop was not identified until it was already brought back into the corporate office. By that time, it was too late. Having security programs that work only within the corporate environment are only useful if an employee's hardware stays inside that environment. If employees of an organization take their devices home with them, then it's important to make sure that they have security measures in place to protect them outside of the corporate network as well as within.
Crowdstrike recommends that accounts be segregated as well and that end users shouldn't be given administrator privileges on their local systems. In this incident, the adversary abused a misconfiguration within the company's Active Directory that provided unnecessary privileges. Organizations should regularly review their Active Directory configurations across the entire global enterprise.
Having an IT team outside of your organization dedicated to your IT security and infrastructure is also a wise investment. Natural Networks' Managed IT is a solution that provides companies - who may or may not have a dedicated IT team - with a group of experienced IT individuals that can identify security problems, review your computers permissions, and provide a security solution that can protect your devices inside and outside your network. Attacks are happening every hour of every day - investing in preventive security will save your organization thousands of dollars later.