Dragos faced a failed extortion attempt after a cybercriminal group compromised a new sales employee’s personal email to access internal resources, but Dragos systems and controls remained uncompromised. The company blocked the account, engaged CrowdStrike and an MDR provider, and implemented enhanced onboarding verification and continuous monitoring to prevent ransomware and lateral movement.
Keypoints
- Extortion attempt against Dragos occurred on May 8, 2023, with no Dragos systems breached.
- The attackers compromised a new sales employee’s personal email before their start date to impersonate them in onboarding steps.
-
MITRE Techniques
- [T1078] Leverage Valid Accounts – The group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. ‘The group gained access by compromising the personal email address of a new sales employee prior to their start date’
- [T1621] Multi-Factor Authentication Request Generation – The article emphasizes MFA as a protective control; ‘Implement multi-factor authentication everywhere feasible.’
- [T1526] Cloud Service Discovery – The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. ‘The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system’
- [T1530] Collect Data from Cloud Storage – A report with IP addresses associated with a customer was accessed. ‘In one instance, a report with IP (internet protocol) addresses associated with a customer was accessed’
- [T1567] Exfiltration Over Web Service – The event involved extortion and data exposure; ‘The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable.’
- [T1586.002] Compromise Email Accounts – Compromising the personal email address of a new sales employee to begin onboarding steps. ‘The group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.’
- [T1593] Search Open Websites/Domains – The cybercriminal continued reaching out to multiple publicly known Dragos contacts. ‘The cybercriminal continued reaching out to multiple publicly known Dragos contacts to elicit a response.’
- [T1591.004] Gather Victim Org Information: Identify Roles – The attacker’s messages included research into family details of executives. ‘The cybercriminal’s texts demonstrated research into family details as they knew names of family members of Dragos executives, which is a known TTP.’
Indicators of Compromise
- [IP Addresses] context – 144[.]202[.]42[.]216, 162[.]33[.]179[.]126
- [Email Address] context – dragos.negotiations[@]proton.me
Read more: https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/