Use Case: Long-Term Unintended Remote Access To Administrative User Account; How Awareness Training Could Have Prevented A BreachSeptember 22, 2022
Your employee’s email accounts are full of hazards that could lead to a cybersecurity incident. That is why it is critical that employees know how to recognize threats, protect business data, and prevent unintended access to systems. We wanted to share a real-world example of a successful cyberattack, how it could have been prevented, and what the business is doing to prevent it from happening again.
On a Wednesday, we received a call from one of our partners that was concerned of a cyberattack. The IT Director informed our helpdesk that an employee had observed the cursor of a device moving on its own. They stated that the mouse was opening files, programs, web browser tabs, and browsing bookmarks. Before calling us, the IT Director wisely unplugged the device from the network and power supply. A smart move if the signs of a cyberattack are present.
After speaking with the IT Director, we learned that the employee whose device was potentially compromised admitted to “clicking something” the day before. At this point, we requested that the device come to our office for a full investigation.
Quickly into our investigation we confirmed that unintended access had been established by the cybercriminal and that they had full remote access to the device for multiple days. We found that the breach of this device began as most do – with a phishing email. What separates this incident from the majority that we see is that this phishing email was sent to the employee’s personal email address. This is one of the many reasons that we strongly suggest that personal and business emails should be kept as separate as possible and that employees should avoid checking personal email on business devices.
This email contained a PDF attachment that was disguised as invoice. The fake invoice showed that a large payment had been processed successfully, a standard tactic to throw a target off balance and evoke a sense of worry. The invoice also contained a phone number to call if additional assistance was needed.
We believe that the employee called the listed number to dispute the charge. Once connected via phone with the cybercriminal, they convinced the employee to install a program that would provide the bad actor with remote control of the device. When we reviewed the device, found an installer for a common screen connect software in the downloads folder and that a remote session was started 1 minute after the download, verified by the event logs of the device.
As we continued to review the device, we discovered that a secondary remote software was installed on the machine. A common technique to provide the cybercriminal a backdoor in case the first remote software was disabled or removed. And since these programs are not malicious by nature, no flags were raised by the antivirus or EDR software installed on the machine. Additionally, we found that both remote software installations were set to run as soon as the device was started, and that the computer did not have an automatic lockout in place. These things combined meant that the cybercriminal could access the device as soon as the employee turned it on and keep that access until the screen was manually locked or the device shut down.
During our review of the incident, we learned that remote access was gained 3 days prior. Meaning that access was maintained by the cybercriminal for a significant amount of time. Enough time to potentially log keystrokes, steal data, or launch a larger scale attack. Luckily, there were no indications of sophisticated cyberattack. However, this seemingly low-skilled criminal was able to access banking details, credit card numbers, and online shopping information. With this information stored on the device, they were able to order hundreds of dollars of goods from a variety of different websites. These orders were eventually stopped, and the money refunded.
As we continued to review, we learned just how catastrophic of an impact this breach could have caused. The employee who was breached had administrative levels of access to not only the device that was breached, but other devices on the network as well. In addition, this employee had permissions to network resources such as shared drives and other business data. A sophisticated cybercriminal could have exfiltrated a significant amount of data, gained control of other devices, or deployed a malicious payload such as ransomware to every asset accessible by the employee’s account.
To complete the investigation, the device was thoroughly inspected, all malicious software was removed, permissions of user accounts were reviewed and adjusted, and the IT Director was given a full report of our findings.
The most important take away from this particular incident is the immediate actions of the IT Director. Not only were the instincts to remove the potentially compromised device from the network correct, the IT Director also immediately inquired about how they could prevent this in the future. After discussing the anatomy of this incident and the common ways that cybercriminals gain access to email accounts, the IT Director decided to implement cybersecurity awareness training and testing for all employees.
In order to prevent a cyberattack such as this from being successful, your employees must be aware of common attack techniques, red flags in email/text correspondence, and cyber hygiene best practices. This can be easily achieved by providing your employees with ongoing cybersecurity awareness testing and simulated phishing training. To learn more about employee training and how you can protect your organization, take 1 minute to watch the short video below and read this short article for a detailed breakdown of how awareness training works and how simple it is to get started today.