3B Data Security
3B Data Security
Situation:A legal firm suspected that malicious actors had been intercepting and accessing their corporate emails and/or data on Microsoft 365 (M365). As a consequence of this compromise, spoof emails impersonating employees were being sent to customers of the legal firm and contained bogus bank account details in an attempt to obtain monies by deception. These emails also contained sensitive information only known to authorised personnel.
Task: 3B Data security were tasked with carrying out an investigation in order to try and establish whether there was any supporting evidence of the above, and to what extent the compromise had spread across the network, and which persons and systems had been affected.
Actions: 3B Data Security combined efforts as a team working closely with the client to narrow down the scope of the investigation.
The first priority was to contain the compromise which was achieved by firstly instructing the client that they perform a password reset on all accounts with improved complexity and Multi Factor Authentication (MFA) wherever possible.
Secondly, we deployed a threat monitoring solution across the whole network and user devices. Within a matter of hours potential Indicators of Compromise (IoCs) were identified on specific systems. These required closer examination; therefore, we instructed the client to remove and isolate them from the network. 3B Data Security consultants then arrived at various sites (including user’s homes) to capture forensic images of these systems for further analysis.
Finally, the containment also involved performing vulnerability and penetration testing to help identify vulnerabilities and weaknesses on the network that the threat hunting may not necessarily have provided.
Whilst the above was being conducted other members of the team were conducting a full review and analysis of the MS365 environment. This involved the client providing us with a unique administrator account so that a full review of audit logs and analysis of user accounts could be carried out whilst maintaining an audit trail. The known reported malicious emails were also analysed. Within MS365 we identified signs of Brute Force Attacks and made the immediate recommendation of conducting MS365 hardening parallel to the wider investigation which the client permitted us to do in cooperation with their outsourced IT service provider.
Back at the laboratory, the forensic team analysed forensic images captured relating to isolated devices, and devices identified as belonging to users whose emails had been spoofed.
All progress for each area of investigation was relayed to a single point of contact (lead investigator) each day and this information was collated and presented to the client in daily progress meetings. The meetings also included next steps, recommendations and actions for the client and IT service provider with target deadlines.
Results: In the first instance, the threat monitoring identified malicious activity present on a user’s personal MacBook, used to access corporate systems. Further analysis of the MacBook identified browsing to suspect sites such as ‘The Pirate Bay’ and many various types of ‘Adware’ activity of which more than one was identified as a ‘Browser Hijacker’.
It was concluded that the attacker was capturing live data as the user was connected to corporate systems, therefore, plausible that the infected MacBook was an attack surface that allowed an attacker to obtain user information, credentials, and customer data. This is believed to be where an attacker using a browser hijacker has had the capability of capturing data whilst the user was connected to corporate systems. This supported the fact that the reported spoof emails did contain sensitive information that only an authorised user would normally have had access to.
Although analysis of other user devices, MS365 and other systems did not identify any IoCs, it exposed considerable information security concerns across the whole infrastructure, the main one being staff using personal devices to access company resources where there is no control of what is on those devices, or what activities the user performs.
This resulted in the client questioning their whole information security posture and needing to take immediate action based on our recommendations and remediation measures.