Cyber Security Threat Summary:
“Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.

The threat actors were able to compromise the personal email account of a new sales employees prior to their actual start date. That personal information was used to impersonate the Dragos employee, which the threat actor used to complete the employee onboarding process. Eventually, the actor gained access to Dragos’ SharePoint platform and was able to download “general use data” and accessed around 25 intel reports that were limited to Dragos’ customers.

According to Dragos, “During the 16 hours they had access to the employee's account, the threat actors failed to also access multiple Dragos systems—including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems—due to role-based access control (RBAC) rules.”

Security Officer Comments:
The threat actor was ultimately thwarted by security processes and was unable to breach the companies internal network. Pivoting on their access plans, the threat actor instead sent an extortion email to Dragos executives 11 hours into the attack. After receiving the extortion message, Dragos disabled the compromised user account, revoked all active sessions, and blocked the cybercriminals infrastructure from accessing company resources. "We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware," Dragos said. "They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure."

In their extortion message, the threat actor threatened to publicly disclose the incident in an email message to public contacts and personal emails belonging to Dragos executives, senior employees, and their family members. "While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.

Full details are shared in Drago’s blog, “One of the IP addresses listed in the IOCs 144.202.42[.]216 was previously spotted hosting SystemBC malware and Cobalt Strike, both commonly used by ransomware gangs for remote access to compromised systems.” SystemBC has been used by various ransomware gangs including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, Plan, and most recently BlackBasta.

Suggested Corrections:
This attack highlights a very targeted social engineering campaign against Dragos. Business email compromise can be hard to defend against, even with proper phishing training and security mechanisms in place. In this case, a personal email account for a new employee was compromised, and was used to complete the employee onboarding process. How the threat actors were able to compromise this new employee and know of their recent job offer remains to be seen. In general, phishing best practices should be followed to avoid incidents like this. Possibly an extra employee onboarding screen could be used, such as verifying identity via online video conferencing, and having the employee hold up their drivers license for verification could have helped, but that recommendation comes in hindsight. Dragos’ security practices appear to have thwarted what could have been a much more serious event.