Share this post

🔑 Key Takeaways

  1. Restricting administrative access, securing sensitive areas, and having an incident response team are crucial steps in maintaining network security and protecting the business from insider threats.
  2. It's important to maintain good communication and have necessary resources in place to respond promptly to potential threats, especially when alerted by a reliable source like a security service. Acting quickly can prevent further damage and minimize risks.
  3. MSPs use a jump server to remotely monitor and fix network faults, but may hesitate to provide access in case of a breach. Digital forensics analysts examine the compromised server to identify abnormal activities and malware.
  4. Check for common intrusion points and quickly identify potential attacks. Develop an incident response plan to reduce damage. Employ security measures, such as updates and password protection, and share incidents with business leaders to prevent disruptions.
  5. Digital forensic analysts must communicate efficiently, scan files, analyze them with various tools, and look for clues such as signed binaries and DLL side-loading to detect security breaches. Implementing preventive measures can be costly but are crucial in avoiding major breaches.
  6. Identifying and analyzing malicious DLL files can help investigate security breaches and prevent future breaches by tracing the evidence path. Memory analysis assists in finding actively running programs.
  7. Vigilance and maintenance of network security is crucial as even legitimate tools can be used by threat actors to blend in with normal traffic. Don't let seemingly harmless messages fool you and report any suspicious activity immediately.
  8. MSPs and service providers must prioritize strong security measures to protect their customers from nation-state attackers who have multiple teams and objectives in a single operation. Supply chain security should be a critical part of any organization's security strategy.
  9. Companies must secure their Managed Service Providers to protect against cyber espionage and safeguard sensitive information from being stolen by sophisticated hackers, including those associated with government organizations.
  10. Governments and companies must adhere to established international commitments and cyber rules. In the event of a breach, immediate action such as resetting Active Directory and cutting ties with MSPs should be taken. Stealing intellectual property is illegal and must be punished.

📝 Podcast Summary

The Risks of Unrestricted Access to Key Personnel in the Workplace

The person with administrative access to the core machines in the workplace may hold immense power that can be destructive to the business when used maliciously. It is therefore vital to ensure that unauthorized persons do not have admin access to the network. Another powerful person in the office is the overnight janitor who has access to every room in the building, including the CEO's office. With the opportunity and capability for spying, the janitor could pose a significant threat if their key ring were to fall into the wrong hands. This story emphasizes the importance of network security and the need for businesses to have incident response teams that can investigate and remediate any network intrusions.

Importance of Immediate Action in Response to Potential Threats

When a reliable source like the Swedish Security Service notifies you about a potential threat, it is wise to take immediate action. In this case, the company was alerted about a computer that was communicating with a known bad actor, a command and control server. This means that the computer is probably infected with malware. The company's jump server, which was managed by the MSP, was also found to be communicating with the same IP addresses. Therefore, it is crucial to maintain good communication and ensure all parties are aligned to eliminate potential threats quickly. Organizations should always have the necessary equipment and tooling ready to respond promptly to such incidents.

Understanding the Role of MSPs and Digital Forensics in Network Security

Managed Service Providers monitor and fix faults remotely, which requires reliable access to all the computers in the network. They use a jump server which connects to all servers in the network and is used by the MSP to access important servers. In case of a breach, MSPs might be defensive and reluctant to give access due to SLAs with customers. However, as the breached server was owned by the company and not the MSP, they eventually provided access. Digital forensics analysts need to know how computers normally work to spot abnormal activities. Windows directories, processes, and programs were examined to search for malware in the compromised jump server.

Key Steps to Mitigate Cyber Attacks

Manual checking of common intrusion points and quick identification of smoking guns can help contain a potential cyber attack. Immediate escalation and establishment of a proper incident response plan is crucial in mitigating the damage. Tools such as building a timeline of all files created or accessed can aid in identifying the attack's source and extent of damage. Sharing the incident with business leaders is necessary to mitigate potential disruptions to the company's operations. Employing updated security measures such as patched systems and password protection can prevent the exploitation of vulnerabilities, such as Windows' password flaw.

The Importance of Effective Communication and Scaling in Digital Forensics Investigations.

Digital forensics analysts need to communicate effectively and scale the investigation when dealing with security breaches. Finding security breaches is a long, meticulous process that involves scanning files and analyzing them using various tools. When conducting an investigation, it is vital to look for clues such as signed binaries, which verify the authenticity of files, and DLL side-loading, an attack technique where DLL files are placed in a specific position to exploit programs' order of operation. This technique is particularly challenging for antivirus scans to pick up since the programs running are fine, but their called files are malicious. Implementing preventative measures can be costly but crucial for large organizations.

Importance of Identifying Malicious DLL Files in Security Breaches.

Identifying malicious DLL files on a server is crucial in investigating a security breach. Once found, it is important to determine how the malware got onto the system and if anything is currently running. Taking the right actions during an investigation is crucial to avoiding tough decisions of shutting down the system or continuing the investigation. Memory analysis is a useful tool in finding actively running programs. During an investigation, it is important to follow the path of evidence to discover the source of the attack and to prevent future security breaches.

Nation state actor attempts to breach US Department of Defense through a third-party network.

A nation state actor attempted to breach the US Department of Defense by scanning for open file-sharing connections with a company's network. The customer was not the primary target, and the nation state actor quickly dropped the attempt once they realized they could not go to their final target. They eventually logged back in and installed new malware and tools that talk to a different command and control server. The use of legitimate tools like NBTscan and the empty p.txt file suggest a deliberate attempt to blend in with normal network traffic. This emphasizes the importance of maintaining network security and being vigilant for any suspicious activity, as even seemingly harmless messages like 'LEAVE ME HERE' may have hidden meanings.

Sophisticated Cyber Attack on Global MSP Demonstrates Importance of Supply Chain Security

The PlugX RAT, which is still used by different threat actors based in China, was part of a sophisticated attack that involved multiple teams and led to a major breach at a global MSP. The attackers stole credentials from an MSP employee, used them to gain access to the MSP's network, and eventually compromised many of the MSP's customers using key loggers. This incident highlights the importance of supply chain security, as well as the need for MSPs and other service providers to have strong security measures in place to protect their customers. It also demonstrates the level of sophistication and persistence that can be expected from nation-state attackers, who may have multiple teams and objectives in a single operation.

APT10 Hacks MSPs to Steal Sensitive Business Data

APT10, a Chinese hacking group associated with the Ministry of State Security, used sophisticated methods to breach dozens of companies worldwide, including Managed Service Providers (MSPs). By accessing MSPs, the group stole sensitive business data, including intellectual property and confidential information, from clients, including US government agencies, Navy personnel records, and telecom giant Ericsson. Attackers targeted specific companies with shared connections to the Department of Defense, allowing them to hack indirectly into the DoD network. The attack highlights the importance of securing MSPs, which are trusted to store, process, and protect commercial data. Governments around the world use cyber espionage to gather intelligence on other countries, and companies must be prepared to protect themselves against these threats.

Protecting Intellectual Property in Cyberspace

Governments using hacking as a means to steal intellectual property from private companies is straight-up theft and violates international commitments. While the rules of cyberspace are still forming, it will only work with nations who agree to abide by the rules. In the event of an infection, resetting Active Directory and introducing active monitoring and EDR tooling is necessary. Companies should also consider cutting ties with MSPs that may compromise their infrastructure. Targeting MSPs to go after their customers is a smart move for threat actors. Those who steal intellectual property from US firms must face charges, even if they are hiding out somewhere.