They had also viewed sensitive information identifying its government customers. The intruders, Mandia learned, had swiped tools his company uses to find vulnerabilities in its clients’ networks. In all that time, Mandiant itself had never suffered a serious hack. Acquired by FireEye in 2013, and again last year by Google, the company has threat hunters working on more than 1,000 cases annually, which have included breaches at Google, Sony, Colonial Pipeline, and others. Many of the highest-profile hacks of the past two decades have been investigated by Mandia’s firm, which he launched in 2004. They also tried to avoid creating the patterns, in activity logs and elsewhere, that investigators usually look for. The group quickly realized that the hackers had been active for weeks but had evaded detection by “living off the land”-subverting administration tools already on the network to do their dirty deeds rather than bringing in their own. Uncertain what the hunt would uncover, Runnels and Scales needed to control who knew about it. On November 17, Scott Runnels and Eric Scales, senior members of Mandiant’s consulting division, quietly pulled together a top-tier investigative team of about 10, grabbing people from other projects without telling managers why, or even when the employees would return. With this power, there was no telling how deep they had burrowed into the network. They could seize control of a worker’s accounts, grant those accounts more privileges, even create new accounts with unlimited access. The attackers had pulled off a Golden SAML attack-a sophisticated technique for hijacking a company’s employee authentication system. They soon realized the issue transcended a single employee’s account. The security team blocked the Samsung device, then spent a day investigating how the intruder had gotten into the network. That software was made by a company that was well known to IT teams around the world, but likely to draw blank stares from pretty much everyone else-an Austin, Texas, firm called SolarWinds. Volexity zeroed in on one of the think tank’s servers-a machine running a piece of software that helped the organization’s system admins manage their computer network. The investigators spent days trying to figure out how they had slipped back in. And they were back to grabbing email from the same accounts. But in late June 2020, the hackers somehow returned. His team spent a week kicking the attackers out again and getting rid of the backdoor. “We shut down one door, and they quickly went to the other,” Adair says. Now, for the first time, they were using it. As it turned out, the hackers had planted a backdoor on the network three years earlier-malicious code that opened a secret portal, allowing them to enter or communicate with infected machines. Adair and his colleagues dubbed the second gang of thieves “Dark Halo” and booted them from the network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |