Cybersecurity company Dragos discloses cybersecurity incident, extortion try

Industrial cybersecurity enterprise Dragos nowadays disclosed what it describes as a “cybersecurity function” soon after a recognized cybercrime gang attempted to breach its defenses and infiltrate the inner network to encrypt products.

Even though Dragos states that the threat actors did not breach its network or cybersecurity platform, they acquired obtain to the company’s SharePoint cloud support and contract administration process.

“On Might 8, 2023, a known cybercriminal team tried and unsuccessful at an extortion plan versus Dragos. No Dragos devices were breached, like anything relevant to the Dragos System,” the corporation said.

“The criminal team received access by compromising the own electronic mail tackle of a new profits worker prior to their start date, and subsequently made use of their personal data to impersonate the Dragos employee and attain initial ways in the employee onboarding approach.”

After breaching Dragos’ SharePoint cloud system, the attackers downloaded “general use facts” and accessed 25 intel reports that were usually only readily available to clients.

All through the 16 several hours they had access to the employee’s account, the danger actors unsuccessful to also obtain multiple Dragos systems—including its messaging, IT helpdesk, fiscal, request for proposal (RFP), staff recognition, and marketing and advertising systems—due to job-based mostly accessibility management (RBAC) policies.

Dragos incident timeline
Incident timeline (Dragos)

Right after failing to breach the company’s interior network, they despatched an extortion e-mail to Dragos executives 11 several hours into the assault. The information was examine 5 hrs later due to the fact it was despatched outdoors business enterprise several hours.

5 minutes immediately after reading through the extortion message, Dragos disabled the compromised consumer account, revoked all energetic periods, and blocked the cybercriminals’ infrastructure from accessing business methods.

“We are confident that our layered safety controls prevented the risk actor from accomplishing what we think to be their principal aim of launching ransomware,” Dragos explained.

“They were being also prevented from accomplishing lateral movement, escalating privileges, setting up persistent accessibility, or generating any changes to the infrastructure.”

The cybercrime team also attempted to extort the company by threatening to publicly disclose the incident in messages sent through community contacts and own emails belonging to Dragos executives, senior staff, and their relatives users.

“Though the external incident reaction agency and Dragos analysts sense the celebration is contained, this is an ongoing investigation. The details that was lost and most likely to be made general public since we chose not to pay the extortion is regrettable,” Dragos said.

One particular of the IP addresses outlined in the IOCs (144.202.42[.]216) was previously spotted hosting SystemBC malware and Cobalt Strike, both typically applied by ransomware gangs for remote accessibility to compromised systems.

CTI Researcher Will Thomas from Equinix told BleepingComputer that SystemBC has been utilized by many ransomware gangs, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Enjoy, creating it tricky to pinpoint what danger actor is behind the assault.

Thomas reported that the IP address has also been viewed applied in new BlackBasta ransomware attacks, quite possibly narrowing down the suspects.

A Dragos spokesperson reported they’d reply later when BleepingComputer attained out for additional particulars on the cybercrime group at the rear of this incident.