So the incident gave me a spark in my mind, if this kind of simple trick can bypass security system and that too if some terrorist organisation backed/ATP Groups threaten some random employee to do these things! How this can be identified?
Hello readers, this article is about some cyber incident which I recently came across.
Short and simple:
Everything was going normal and the employee was in some manager position, he manged (sorry the malware in his system..lol) managed to bypass all security filters and alerts: like CrowdStrike, Zscalar, Intune, Darktrace but was finally flagged just as some unusual allowed anonymiser IP connection. By this incident a cyber quote ‘There are two types of companies: those that have been hacked, and those that don’t know they have been hacked’ suddenly went deep into me.
So full incident goes as this: I get an allowed IP incident alerts followed by 2 more similar ones. Initially for the first alert, basic intel search was done by online tools like Cisco Talos, Zscalar ..etc. , and IP had no malicious intel in various online platforms.
For the second time alert mentioned: We have observed usage of an anonymizer application involving the XXX account, 192.95.36.142 IP address and external ‘192.95.36.142’ domain. Please note ZScaler reported this traffic as not blocked. Anonymizers (such as the Tor web-browser) are applications and methods that intend to obscure the destination of traffic as well as content accessed to minimize the tracking of end-user activity and to hide their identity. Additionally, usage of anonymizers could enable a user to bypass organizational policies controlling what websites and other Internet-based resources they can access. Alternatively, this alert could also reflect non-malicious activity where the requested domain is expected to be contacted (perhaps due to research/testing purposes for an authorized user).
Which after getting in touch with user got to know it was AI based Grammarly application that he was trying to use, but our Zscalar policy was blocking all such AI based IP’s. later escalated issue and got Grammarly whitelisted.
But I was little nosy here! Initiated a aggressive CrowdStrike scan, system came out clean, with no detection and anomalies in behaviour of system. This gave me a relief, but was still searched for IP activity in our environment, again nothing came out, ahh..no i am not so easily impressable. You automation tools!. Was my mind voice..
I went another hand up and revoked all sessions, and asked user to reset password.
Next day, again same alert! .. woh!.. this is not fine.. for sure..so decided to remote on to user system system and have a look.
Found the portable version of the TOR browser (SHA 256: 1258cea4c6a5576bc6e1dac39a67f3f9ad8dbd64657ba94c7506ce527476000a ) placed as shortcut in Desktop, user mentioned it was to help Grammarly work (user was not clear in giving the reason but: said he raised incident about Grammarly, and he was using tor only to help Grammarly work) .. do we look so dumb to agree what he said.. hilarious. .lol..
As identified, it was a portable version (signatures can be changed) so it bypassed the CrowdStrike detection, even after aggressive scan.
Moving further investigation, I observed that the download was done few mins before the first incident that was reported and that too from Chrome browser, where history was also cleared by user.
But from the Downloads section of chrome, we found the file and respective download domain of the file https://dist[.]torproject[.]org/. Next, we also observed user was trying to download (months back) another external browser named as AVG secure browser and found in downloads folder
As all these raised little concern about device and user for bypassing security system and downloading few malicious browsers we had to decide to isolate their device and put in containment through CrowdStrike, also disable the device from azure AD and revoked all the session, some disciplinary actions are taken(which i am unaware of)
So the incident gave me a spark in my mind, if this kind of simple trick can bypass security system and that too if some terrorist organisation backed/APT Groups threaten some random employee to do these things!
- How this can be identified?
- How can organizations enhance endpoint security against unauthorized or portable software?
- How should organizations balance trust in employees with verifying activities that pose security risks?
- What limits do automated systems face in detecting sophisticated attempts to bypass security, like using portable applications?
All these bring a lot of pressure to scrutinise employees and apply zero trust policy all around which cause lot of imbalance with Confidentiality, Integrity and Availability and user experience,
Few things to take away from this article/idea of someone targeting internal employee:
Types of Threats a Terrorist Might Use on an Employee:
- Physical Violence: Threatening physical harm to the employee or their family.
- Blackmail: Using sensitive personal information to force compliance.
- Cyber Threats: Threatening to expose or misuse the employee’s digital information.
- Financial Offer: Offering money in exchange for causing harm.
- Reputation Damage: Threatening to damage the employee’s professional or personal reputation.
- Emotional Manipulation: Exploiting personal vulnerabilities or emotional ties.
Actions an Employee Might Take in Fear to Assist Terrorists:
- Sharing Credentials: Providing their login credentials to terrorists to grant access to internal systems.
- Installing Backdoor Software: Installing malware or backdoor programs on company devices to allow remote access.
- Disabling Security Protocols: Turning off or bypassing security measures such as firewalls and antivirus software.
- Exfiltrating Data: Downloading and transferring sensitive data to external storage or directly to the terrorists.
- Granting Unauthorized Access: Creating unauthorized accounts or elevating privileges for terrorist-controlled accounts.
- Manipulating Logs: Deleting or altering security logs to cover up malicious activities.
- Providing Network Topology: Sharing detailed network diagrams and configurations to help terrorists navigate the system.
- Installing Keyloggers: Setting up keyloggers to capture credentials and sensitive information from other employees.
- Manipulating System Updates: Altering system update settings to prevent patches that could close vulnerabilities exploited by the terrorists.
- Disabling Alerts: Turning off or configuring security alerts to prevent detection of the terrorists’ activities.
Actions an Employee Might Take, Countering Terrorists actions:
- Report to Authorities: Informing law enforcement or security agencies about the threats.
- Inform Employer: Alerting their organization’s security team or higher management.
- Seek Protection: Requesting personal or family protection from law enforcement.
- Follow Security Protocols: Adhering to company protocols for such incidents.
- Refuse Compliance: Not yielding to terrorist demands despite the threats.
- Provide Limited Information: Giving misleading or incomplete information to buy time.
- Install Backdoor Software: Unwillingly complying by installing malware or sharing vulnerabilities.
- Internal Sabotage: Misleading the terrorists by compromising the backdoor or the information they receive.
- Engage in Disinformation: Providing false information to mislead the terrorists.
- Seek Psychological Support: Obtaining counselling to handle the stress and fear induced by the threats.