- Our client got a phone call from their bank asking for verbal confirmation that they wanted to go through with a $200,000 transaction - a request that our client did NOT make
- The bank instructed to client to give our team at KNS a call, and we found that multiple email accounts had been breached, allowing the initiation of a fraudulent money transfer to go unnoticed
- After doing more research, it was found that the attacker had created several rules to cover their tracks, and even created a "guest" account within the portal that gave them access to several shared mailboxes and resources
- We immediately ensured that all logged-in sessions were terminated, and initiated password resets for all employees
- We trained employees on password best practices and enabled MFA (multi-factor authentication) to safeguard against future attacks
Phase 1: The Problem
Objective – Secure client's email and accounts following a breach
This particular client deals very frequently in large sums of money. It is not out of the norm for transactions to well exceed the 10k mark and every so often some transactions occur over the 100k mark. Because of this, it made them a prime target for an email scam, which of course is exactly what happened.
One of the Office 365 administrators had his email compromised by an attacker whose IP address originated out of Bangladesh. The attacker hid themselves from detection by first simply observing the users activity and types of responsibilities they held at the company. After watching for approximately 1 week, they had identified the internal business processes required for wiring large sums of money. In addition to that, they also found stored within old emails, the password to another one of the managers who in fact was also involved in the business process for wiring. The attacker then had access to both email accounts and identities required to process a large transaction.
It was at this point that the attacker set up email rules preventing communication between the two managers and also preventing communication to and from the bank from reaching their personal email inboxes. Emails were rerouted to a secondary server which the attacker owned and emails were captured and deleted before reaching the end users experience. After having set up the block and email rules, the attacker made their move. They emailed the bank and requested that the sum of 200k be wired to an offshore account. When the bank responded and challenged the attacker for identity verification, they were able to respond with all of the requested information that they had been able to research utilizing the email and logins that had been stolen during the initial breach.
Luckily at this point, the bank called the client directly and asked them for verbal confirmation to process the transaction at which point both managers denied ever having submitted the request. The bank placed a hold on all immediate future transactions and instructed the client to reach out to us to secure their email accounts.
“After watching for approximately 1 week, the attackers had identified the internal business processes required for wiring large sums of money.”
– Gianni, I.T. Engineer
Phase 2: Eliminate Threat
The client reached out to us and explained their situation. Because the attacker was still currently in the system and did not want to tip their hand that something was amiss, they neglected to change the email passwords on the admin accounts and thus allowed us to log into the administration portal for their company. We immediately changed the passwords and forced sign out of all active sessions for both managers accounts. After verifying that the attacker no longer had access to the system, we began password resets of all accounts with extended privileges on their email portal.
Now that the immediate threat had been stopped, we began our search deeper into researching the extent of the attacker’s actions. We found the rules they attacker had placed on mailboxes in addition to automatic forwarding and duplication of emails to an outside email address. We also noticed that the attacker had created a “guest” account within the portal that was given access to several shared mailboxes and resources.
After this, we ran an audit on all activities performed by users within the organization to locate any account changes / portal changes that had been done to the account. Because the attacker had deleted emails in the clients inbox, we had to perform eDiscovery searched on all content sent from the respective accounts and we were able to document the deleted email correspondence between the attacker and the bank. The additional auditing steps returned negative to any actions that we had not previously identified.
Phase 3: Prevent Future Attacks
Because of the nature of the attack and the accounts that were compromised, it was highly likely that information regarding the sign ins of other user accounts had also been stolen. At this point we recommended that all user accounts immediately have their passwords reset. We visited the client on-site and assisted their users with password resets. Another step we took was assisting the managers in identifying other accounts outside their email address that had used the same passwords that were compromised. because the managers and many of the employees had used their old passwords across multiple sites, we trained them on how to utilize password managers and randomly generated passwords to better isolate their accounts from cascading compromises.
Lastly, we instituted MFA (Multi-Factor-Authentication) policies on all the elevated users accounts. This would prevent the accounts from being compromised in the future unless the attacker had also gained access to one of their application passwords (a one-time password used for logging into desktop and mobile email) or had stolen one of their personal devices.
Because of the precautions taken by the clients bank and the quick response on behalf of our staff, an otherwise catastrophic security incident totaling over $200,000 was stopped and the potential unintentional damage was mitigated efficiently. Kitsap Networking is familiar with these types of security incidents and have developed strategies to not only thwart active attacks but to also set up safe-guards to mitigate future incidents. These safeguards include setting up MFA, training staff on proper password management, deploying advanced auditing policies, and educating staff and management alike in proper information security skills and awareness.