white decorative stripes white decorative stripes
About Pedab

PEDAB BLOG

Welcome to our world

This is how we discovered a cyber attack before it was too late

This is how we discovered a cyber attack before it was too late

In early September 2019, our security analysts discovered suspicious traffic patterns in one of our customers network. On closer examination, unencrypted web traffic was observed against an external IP with a negative reputation, where one of the customer’s PCs downloaded both exe files and an abnormal amount of text documents.


OVER 90% OF LEADERS ARE NOT PREPARED FOR HOW TO DEAL WITH A CYBER ATTACK EVEN IF ATTACKS ALSO OCCUR REGULARLY.


By putting this into a larger context and expanding the search area for the surveys, deviations from normal usage patterns around mail traffic from the internal PC emerged. You can read more about this hacker campaign in Checkpoint´s research paper published October 16th 2019.

With these findings, our Pedab analysis team initiated further investigations to identify what had happened.

By examining customer logs in our SIEM tool, our analysts were able to quickly determine that this was a machine that was a member of a bot network. A further spread within the customer’s system could not be detected. Based on threat information and own surveys, the analysts found that the text files that were downloaded were full of account details that most likely originated from known email and password leaks on the Internet.

Further investigations revealed that the infected PC had an abnormally high number of DNS requests, as well as a very high number of connections to external mail servers. The team formed a suspicion that this was a “sextortion” campaign, where one of the customer’s PCs was used as a tool to send out blackmail emails to thousands of email addresses.

Example of similar extortion email:

Skjermbilde-2020-02-11

Source: Checkpoint, October 16, 2019

Our Security Operation Center classified this as a risk of reputational and financial loss. The case was thus notified to the customer and the analysts assisted them with action points to rectify the situation and take future security measures.

Over 90% of leaders are not prepared for how to deal with a cyber attack, but attacks also occur regularly. What we want to illustrate in sharing this story is that our security analysts were able to detect the abnormal traffic at an early stage, before others new about the hacker campaign. In addition, we want to point out how important it is to have good analysts, who know security, to keep track of the traffic for you – it is not enough to have only a firewall or antivirus if no one has any ownership or overview of the solution, or the ability to interpret what emerges.

Learn more about our Pedab Security Services here.

What is sextortion? Sextortion means that the hacker sends an email urging the victim to pay ransom in bitcoinform. They also threaten to expose sexual video or private data related to the recipient if payment is not received. They try to gain the credibility of the victim by presenting one of the victim’s passwords at the beginning of the mail. The goal of this method is to make the victim unsafe and uncomfortable so that the person ends up paying. And this works. The criminals behind the campaign have received 14 bitcoin, which is equivalent to about $ 88,000.
Source: Checkpoint, October 16, 2019 

Henning Gaalaas

By: Henning Gaalaas

Henning er Sales Manger Europe, Pedab Security Services. Han på sitt beste i samspill med kunden og når han kan få dem til å føle seg tryggere. Hans lidenskap er å gjøre sikkerhet til en katalysator for nye forretningsmuligheter og å få bedriftsledere til å se mulighetene innen sikkerhet. Henning er også en svært dyktig foredragsholder. Når han ikke er på jobb bruker han mye tid på familie og venner i inn og utland. Er også mye ute i naturen med en fiskestang i hånda.