CUSTOMER
One of the largest players in the gig economy that provides online platform for order placement requesting transportation services.
In a nutshell
Our client had become a victim of an e-mail ransomware attack after hackers obtained both an access to and control over a number of company sensitive databases and threatened to compromise external services and corrupt the data.
We were asked to become part of a remote international incident response team composed of various cybersecurity experts with different backgrounds and skillsets from all over the world. The challenge was a multifaceted one, with our client requesting Incident Forensics on multiple servers to assess the whole situation, as well as simultaneous Security Hardening for the organization to prevent compromise of the company assets. we had to perform our activities with the persistent presence of malefactor actors and active threats in the Client’s corporate environment. Despite the overly dynamic nature of the challenge, intensive and successful 24/7 collaborative work of the whole international team enabled us to effectively curb excessive risk and gain time for further defense actions.
PROCESS
Spanning a total of three weeks three teams working in sequential 8-hours shifts headed each by a Certified Incident Forensics Investigator followed a cohesive plan with delegated tasks and provided real-time status updates for managing the incident. For successful resolution we performed several types of work:
- Deep forensics of both client infrastructure and critical assets looking for signs of Advanced Persistent Threats and malicious activities;
- Real-time infrastructure monitoring and processing of a wide number of logs from security systems;
- Isolation of systems in order to preserve and collect evidence and migration of all client’s critical systems into the cloud to minimize impact on the business;
- Penetration testing of the core application in active mode to identify factual and potential entry points.
During our investigation, we found both threat actor’s footprints and multiple security misconfigurations that may have led to potential compromise. After performing a full-scope compromise assessment of the client’s infrastructure, we prepared a detailed report and provided recommendations to improve clients’ cyber resilience state.
WIFI hacking scenario: here the scenario is boiled down to setting up a bogus access point with a fake captive portal, DoS-attack the legitimate access point, and use the fake one to steal login credentials from a WPA enterprise network.
RESULTS
Through a coordinated team response, we improved visibility on the occurred cyber incident and enabled our client to manage the response with greater control, higher efficacy, and reduced time between threat detection and elimination. During investigation, we discovered multiple critical misconfigurations that could have been used as entry points for malicious actors. We hardened the system allowing operations to return to normal and educated our client on which systems were compromised. All findings were documented with suggested actions to mitigate the gaps according to cyber security best practices.