What are you looking for?

Blog

This is how we discovered a cyber attack before it was too late

11 February, 2020

This is how we discovered a cyber attack before it was too late

In early September 2019, our security analysts discovered suspicious traffic patterns in one of our customers network. On closer examination, unencrypted web traffic was observed against an external IP with a negative reputation, where one of the customer’s PCs downloaded both exe files and an abnormal amount of text documents.

Over 90% of leaders are not prepared for how to deal with a cyber attack even if attacks also occur regularly.

By putting this into a larger context and expanding the search area for the surveys, deviations from normal usage patterns around mail traffic from the internal PC emerged. You can read more about this hacker campaign in Checkpoint´s research paper published October 16th 2019.

With these findings, our Pedab analysis team initiated further investigations to identify what had happened.

By examining customer logs in our SIEM tool, our analysts were able to quickly determine that this was a machine that was a member of a bot network. A further spread within the customer’s system could not be detected. Based on threat information and own surveys, the analysts found that the text files that were downloaded were full of account details that most likely originated from known email and password leaks on the Internet.

Further investigations revealed that the infected PC had an abnormally high number of DNS requests, as well as a very high number of connections to external mail servers. The team formed a suspicion that this was a “sextortion” campaign, where one of the customer’s PCs was used as a tool to send out blackmail emails to thousands of email addresses.

Example of similar extortion email:

Source: Checkpoint, October 16, 2019

Our Security Operation Center classified this as a risk of reputational and financial loss. The case was thus notified to the customer and the analysts assisted them with action points to rectify the situation and take future security measures.

Over 90% of leaders are not prepared for how to deal with a cyber attack, but attacks also occur regularly. What we want to illustrate in sharing this story is that our security analysts were able to detect the abnormal traffic at an early stage, before others new about the hacker campaign. In addition, we want to point out how important it is to have good analysts, who know security, to keep track of the traffic for you – it is not enough to have only a firewall or antivirus if no one has any ownership or overview of the solution, or the ability to interpret what emerges.

Learn more about our Pedab Security Services here.

Roger Ison-Haug, Security Division Leader, Pedab Group

What is sextortion? Sextortion means that the hacker sends an email urging the victim to pay ransom in bitcoinform. They also threaten to expose sexual video or private data related to the recipient if payment is not received. They try to gain the credibility of the victim by presenting one of the victim’s passwords at the beginning of the mail. The goal of this method is to make the victim unsafe and uncomfortable so that the person ends up paying. And this works. The criminals behind the campaign have received 14 bitcoin, which is equivalent to about $ 88,000.
Source: Checkpoint, October 16, 2019