Dragos fends off ransomware attack.

Cybersecurity firm Dragos has disclosed a failed extortion attempt against the company. Dragos says they’ve successfully blocked it. The company says that no systems were breached, and that the system was accessed via a newly-created account.

How the attempt on Dragos played out.

In a report on the attempted attack, Dragos says that the hackers gained access by compromising the email address of a newly hired employee prior to their onboarding date, and then used their information to move through early steps in the onboarding process. They report one instance of the IP addresses associated with a customer being accessed. However, Dragos reached out to the customer and prevented any damage. Security Week reports that Dragos’s timeline shows that the hackers were in the system for just over sixteen hours, and obtained access to twenty-five intelligence reports “accessible to paying customers” and to “a contract management system.” The intruders were also apparently able to steal data from the company’s SharePoint, and they emailed executives demanding ransom. Bleeping Computer reported that the gang threatened public disclosure of the incident, and the company blocked the account and chose not to engage. The investigation is ongoing.

De-stigmatizing an internal security incident.

Dragos said they wanted to provide transparency, so they shared the details of the attack in their disclosure. CRN reports that Dragos CISO Steve Applegate said in an email that “organizations have understandably been concerned about reputational damage from security events, and this can cause them to withhold security information that could benefit the broader community. As cyberattacks grow in sophistication and number, there needs to be an attitudinal shift toward transparency and collaboration.”

Industry commentary on the Dragos incident and the company’s response.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, credits Dragos for a good response:

"This is one of the rare stories where you hear about a truly crafty social engineering attempt and a quick discovery which led to minimal damage. Every organization needs to be aware of the very active social engineering scams that are happening in the hiring space. In this case, a legitimate new employee was apparently compromised and that initial access led to more access. There are also many stories of employers hiring fake employees who existed only to steal and scam from their employer, fake employees who actually didn't know their job and just collected paychecks until they were fired, and scams the other way where legitimate job seekers were scammed while seeking employment. These types of stories are reinforcement for the continued attacks against employers and employees."

Erich Kron, Security Awareness Advocate at KnowBe4, gives credit to Dragos for the way it implemented appropriate security protocols:

"This goes to show that organizations in any industry can be targeted by bad actors. In this case, the fact that Dragos has disclosed the potential issue, even though it's quite minor, demonstrates a type of transparency that should be noted. Security vendors are always going to be targets of bad actors, if for no other reason than the bragging rights. For one of these bad actors to create a breach of a cybersecurity organization on their criminal resume, it would likely fuel their ego while also demonstrating a significant amount of skill to others seeking their services, so there is a great deal of motivation to be successful. When defending against these attacks, organizations need to not only consider how to prevent a bad actor from gaining access, but also be able to deal with the aftereffects of network access. In this case, Dragos appeared to be able to spot the issue fairly quickly and had security controls in place to prevent widespread havoc within their system.”

Ryan Bell, Threat Intelligence Manager at Corvus Insurance advises looking at how expansive the attack surface is, including employee attack surfaces:

“This incident is the latest example of attackers increasingly using data theft for extortion. The use of data theft for extortion is on the rise, as evidenced by the increasing number of traditional ransomware groups employing "double extortion" tactics - conducting both data theft and encryption. Additionally, a growing number of new groups are now abandoning encryption altogether to focus solely on data theft. In 2021, only 17% of new extortion groups engaged in data-theft-only attacks, compared to 27% in 2022, indicating a clear upward trend.

“Furthermore, threat actors will use personal information of employees to try and build leverage. Attackers are becoming more adept at making the most of stolen data, searching for keywords on victim networks to find the most sensitive files to steal. This mainly includes financials, PII, or other confidential data. Some groups such as Vice Society are even searching for NSFW files to use in extortion. On the negotiation front, threat actors are using all available means to force victims to pay up, including citing GDPR privacy laws, calling employees, emailing customers, or even researching executives and their families, as seen in the case of Dragos.

“Personal computers and accounts of employees are not out of bounds. Recent high-profile data theft attacks have shown that threat actors will make full use of employees' personal accounts and devices. For instance, in 2022, a threat actor first compromised an employee's personal computer before pivoting to LastPass’s network. In another case last year, attackers found an Uber employee's phone number, messaged them on WhatsApp, and used social engineering to gain access to Uber’s data. This presents significant challenges moving forward, as businesses must expand their attack surface to include their employees' digital lives, even those who have yet to start their first day of work.”

Stuart Wells, CTO of Jumio, agrees that the incident shows that criminals will make attempts even against well-prepared, security savvy organizations:

“Today’s announcement from Dragos proves no organization is safe from cybercriminals and that identity verification is vital from the moment a user begins the initial onboarding process. This incident serves as a reminder for companies across industries, not only to bolster their security posture with robust verification measures, but also implement ongoing authentication. Biometric-based authentication is intended to prevent attacks like this by cross-referencing the biometric features of an onboarded user with those of the bad actor attempting to breach the company. Whether it’s an employee or a customer, enterprises must ensure they are granting access only to authorized users. 

“Cybercriminals are getting bolder and smarter, and going after a cybersecurity company underscores that any company’s data can be a target. Organizations must be equipped to protect their data, and their customers data, which starts with a strong foundation of user verification and authentication. The financial and reputational costs of a data breach are steadily increasing and as evidenced by this event, companies must prepare themselves for threats both internal and external.”

Disclosure: Dragos is a CyberWire partner. They neither approved nor reviewed this story before its publication.