Keeping the best till last − our cyber-crime advent story for 2020 [part 1]

Author
Michelle Gehri
Published
01. December 2020

There's no question about it – the year 2020 will go down in history. Even after so many months, coronavirus still has us firmly in its grip. What does this have to do with cyber security? Once again, cyber viruses have also had a strong impact on the year, and in all likelihood we will not be spared in 2021 either.

Once again this year, our InfoGuard cyber security experts have seen, experienced and also been amazed by a whole host of things. Cyber-attacks may be "scary", but they are also very interesting. In a three part story, our experts will tell you which stories in particular have stayed in their minds.

At the end of May, late one evening at 10:30 pm, our InfoGuard specialists received an alert. It was an emergency that required immediate attention. In fact, it was already clear that not only confidential data was being misused and encrypted, but also the entire network was affected. The hacker had already graciously contacted the company. A ransom of approximately one million Swiss francs was being demanded; otherwise, the data would not only remain encrypted, but would also be published and sold on the Dark Web. An absolute nightmare for any company!

So experienced experts were needed to carry out further analysis and restore the entire operation, which is why InfoGuard called in the CSIRT (Computer Security Incident Response Team). The experts did not want to lose any time, and immediately set off on their way to the customer that had been affected. The relevant authorities were contacted at the same time. But one thing at a time…

People − the weakest link in cyber security

As is the case in so many cyber-attacks, the initial "trigger" was the human element, an employee. Not in the sense that the person was the attacker, but rather they served as a gateway. In this case it was an unspectacular application for a vacant position that ended up in the HR team's e-mail inbox, including an attached CV. When the Word file was opened, a warning message appeared about activating a macro. The employees had indeed been made aware of cyber risks. But who would have thought of the idea of sending a virus in the form of an application? The employee activated the macro without a second thought − and he actually saw a CV in front of him. However, there was some-thing he could not see. Thanks to the activation, the trojan "Emotet" was able to gain entry to the company network. Paradoxically, this was months before the actual attack occurred!

Because (cyber) disasters never happen in isolation!

The trojan Emotet, which already caused a stir last year, records e-mail traffic amongst other things. This then enables it to create targeted spam e-mails or phishing e-mails – just as happened in the case we are describing.

As if Emotet alone were not able to inflict enough damage, the malware "Trickbot" is often uploaded. Trickbot works as a kind of spy with a preference for domain admin accounts, and primarily steals login credentials. This means that the software effectively has a skeleton key which allows it to access all data and systems. And yes, this is really every bit as bad as it sounds…

1 + 1 = Ryuk

For the next step, Emotet showed what it is really capable of. Using the data collected, the Trojan was able to create new, context-sensitive phishing e-mails. In this case, a marketing employee received an e-mail from the printers they had been working with for years. The e-mail mentioned a special offer, but it was a strictly limited one. What she couldn't know was that the sender was not the printer at all; it was a professional group of hackers. A new order was due soon, so the employee clicked on the link, but she was disappointed when she noticed that the offer was not available any-more. What a shame!

The attacker’s path was clear thanks to her click and could rejoice in that fact. In the background another malware was downloaded; this time it was the ransomware "Ryuk". This notorious encryption software was immediately installed and got to work. Ryuk not only encrypts all data, but also changes system configurations. This is because, thanks to Trickbot, the attacker also had the ability to access all systems and backups.

Phishing? You could be the next victim!

Phishing is one of the most common attack methods, and unfortunately it is also one of the most successful ones. Hence, the first step towards achieving effective cyber security is creating security awareness among staff. Obviously, the staff also knew what a phishing e-mail is and what you need to be looking out for. The problem is that these days, it is getting harder to identify phishing e-mails. As in the case described above, spear phishing was used to specifically target personal information that attackers would appear to be unable to know. Emotet working in conjunction with Trickbot was able to search through all data, including e-mails, so they knew all about the supplier relationship and the Christmas campaign. Scary, isn't it?

infoguard-phishing-poster-preview-transparent-en

That's why our cyber security experts have created a phishing poster for you. In it you will find a multitude of tips and tricks that you and your colleagues may not be aware of. Download it now for free!

Download now!

And if you want to know how our story turns out and what challenges the customer and our CSIRT had to face, don't miss the second part. We will continue next Friday!

Share article