A threat actor targeted cybersecurity company Dragos to use ransomware to blackmail the business. Dragos shared what transpired in the failed attempt to aid other businesses that could run into a similar predicament.
“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.
Dragos detailed on their blog how a threat actor entered the company’s systems through a previously hacked email account belonging to a recently hired employee. They used the access to pose as the new employee and gain access to SharePoint and the Dragos contact management system resources that are “usually used” by new sales staff. Additionally, they got a report with a client’s IP address, which prompted Dragos to contact the customer immediately.
After breaching Dragos’ SharePoint cloud platform, the attackers downloaded “general use data” and accessed 25 intel reports that were usually only available to customers.
During the 16 hours they had access to the employee’s account, the threat actors failed to also access multiple Dragos systems, including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems, due to role-based access control (RBAC) rules, as per the reports.
The organization thinks that by seeing the intruder in time, they were able to stop them from doing any significant damage.
According to the blog, the threat actor was trying to unleash ransomware, and “we are sure that our multilayer security safeguards prevented them from doing that,” it said.
Additionally, they could not carry out a lateral movement, escalate rights, establish continued access, or make any changes to the infrastructure.
The attackers tried to blackmail the business in exchange for the stolen data. Soon after, they used WhatsApp to contact business executives and threatened them with disclosing private information on the dark web. The text of one of the texts reads, “WE HAVE EVERYTHING.”
The attackers eventually turned to referencing family members and contacting other Dragos contacts to elicit a response because the business did not recoil.
“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” Dragos said.
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure,” the venture stated further.
The blog also adds that the inquiry is ongoing even though the external incident response company and Dragos analysts believe the situation is confined.
They wrote, “It is terrible that the data was destroyed and is likely to become public since we refused to pay the extortion. Our objective is that by highlighting the adversary’s tactics, people may think of new ways to defend against them and avoid falling prey to similar tactics.”
“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,” Dragos said.