How attackers target security blind spots: Three real-life lessons from the SOC
Imagine you're a security analyst in the security operations center (SOC) of a global extended detection and response (XDR) service, providing the first line of defense for multiple organisations. Every day, you're bombarded with alarms and events, piecing together for each organisation the puzzle of potential threats across their network and endpoints, cloud assets, applications, email, and servers. What happens when one or more of the puzzle pieces are missing?
Three real-life cyberattacks seen by Barracuda XDR's SOC highlight what can happen to a company when their digital security cover is incomplete.
Incident #1: Ransomware attack on an IT company
The security blind spots: incomplete device protection, weak authentication, and no connected security visibility for the SOC
The threat actor compromised VPN credentials for the initial breach, exploiting a zero-day vulnerability to establish a foothold. The attacker then moved laterally across the network, compromising servers, escalating privileges, manipulating admin accounts and groups, and setting up unauthorised communication channels with a malicious command-and-control (C&C) server.
The lack of robust security measures across multiple layers of the network infrastructure allowed the attacker to exploit various vulnerabilities, resulting in significant damage and compromise to the network.
During the attack, the threat actor leveraged a variety of tools to exploit the security blind spots, compromise the system, execute malicious activities, and evade detection. These included tools for remote control, to establish a persistent network connection, facilitate lateral movement, or support data exfiltration.
Like many other threat actors, the attacker turned to commercially available IT tools that, if detected in isolation, would not immediately arouse suspicion. In an attacker's hands, these tools are used for activities such as downloading malicious payloads or scripts remotely; or scanning networks to identify open ports, running services, and other network attributes that could be used for further exploitation or to find additional targets.
The ransomware attack, which also included data exfiltration, resulted in operational disruption, leading to a halt in services and the likelihood of significant financial losses. The data theft compounded the damage with the loss of intellectual property, customer data, and compliance violations.
Incident #2: A data breach in a manufacturing company
The security blind spots: security misconfigurations, lack of robust authentication, and an accessible backup
In this attack, the threat actor exploited compromised credentials to gain unauthorised entry into a remote desktop protocol (RDP) server, using a common tool to brute force a VPN account.
The attackers took full advantage of security misconfigurations, such as the improper exclusion of essential system directories. These critical oversights resulted in over 100 devices being compromised, causing significant disruption to the victim's ERP system. The threat actor also deleted the organisation's backup data.
As in the first incident, the threat actor employed a variety of tools to compromise the system, perform brute-force attacks, extract passwords, check for security vulnerabilities, and assist in lateral movement and remote code execution.
The security breach significantly disrupted the company's operations, leading to major financial losses. The network compromise halted production activities, derailing the manufacturing schedules. Further, the loss of backup data prolonged the downtime and recovery process. It took the company more than two months to resume full operations.
Incident #3: Data exfiltration at a retailer
The security blind spots: publicly exposed assets, weak authentication, and no connected security visibility
A security oversight left a critical server with its remote desktop protocol (RDP) exposed to the public internet. The threat actor seized upon the open RDP channel to infiltrate the network, targeting the domain controllers (DCs), where they created and subsequently deleted accounts to obscure their tracks.
This level of access enabled the threat actor to compromise the integrity and confidentiality of the network. The threat actor then exfiltrated sensitive data from the file servers and sold the stolen information on the dark web.
The attackers leveraged a common threat emulation tool that can be used to maintain persistence, escalate privileges, move laterally, and exfiltrate data. This was supplemented with password cracking tools, as well as tools that would have helped the attackers to better understand and map the victim's environment for further exploitation.
The fallout from the breach centred on the theft and exposure of sensitive data on the dark web. The critical file servers compromised during the attack contained valuable intellectual property and sensitive customer information, the unauthorised disclosure of which led to reputational damage and undermined client trust.
Conclusion: The critical need for full-spectrum security
These incidents are a stark reminder that incomplete security measures can leave organisations vulnerable to attacks that could have far-reaching consequences, both financially and reputationally. Further, a lack of security visibility across the environment means that suspicious activity is harder to spot and correlate with other activity.
The integration of network, endpoint, server, cloud, and email security through XDR enables an unprecedented level of threat detection and response capability. This is because of the data. With a comprehensive XDR solution, every corner of the IT infrastructure, from emails to cloud applications, is monitored and protected with advanced security measures a full spectrum of defensive tools combined with proactive threat hunting and response strategies. This allows for swift action and minimises the window of opportunity for threat actors.