Situation
NCC Group was contacted by a customer who had
observed several servers that had been powered off and a member of staff was also unable to log in with their user account. An initial meeting was held where objectives were set, and it was agreed that NCC Group would provide an EDR solution to help with not only the containment but also to allow the remote collection of forensic triage data.
NCC Group was able to attribute this activity to a group known as Lapsus$ due to having previously encountered the actor in other investigations. Therefore, we had a good understanding of their Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs).
At a Glance
Organization: Higher Education Institution
Industry: Education
Challenge: Criminal threat actor with established high-privilege foothold combined with unavailable evidence.
Solution: NCC Group enabled the client to increase their visibility in the environment while tracking the threat actor’s activity to achieve a successful eradication outcome.
Results: The threat actor was successfully removed from the environment, swiftly returning it to an operational state and improving security posture. Additional recommendations were made to further fortify the environment, as well as additional reports to satisfy any enquiring authorities.
Challenge
Unfortunately, the user who was unable to log in had already been given a replacement laptop, and the old
one was wiped before the investigation took place. Therefore, a valuable piece of the puzzle was missing before the
investigation had begun. It was noted that the threat actor was using the account of the user which made it possible to track activity to further hosts on the network.
Initial access was gained by obtaining a legitimate set of credentials. It is unclear how this threat actor was able to gain access to these credentials, but based on internal research, there were several ways that they were known to obtain credentials by- including phishing and social engineering.
Solution
NCC Group was able to attribute this activity to a group known as Lapsus$ due to having previously encountered them in other investigations. Based on that threat intelligence, we had a good understanding of their TTPs and IOCs, which we used in this investigation and solution.
With access to a legitimate account, the threat actor slipped into the network via VPN. After VPN logs were obtained and analyzed, an unknown user was identified, connecting from a questionable hosting provider that didn’t match the usual activity of the user account.
The customer provided NCC Group with a provisionary account to access their Azure environment. Our experts analyzed activity logs and identified the lateral movement of the threat to gain additional privileges. From there, forensic triage data was pulled from each host compromised by the threat actor to build a clearer timeline of events and actions taken on each device.
After behavior analysis, NCC Group quickly moved to the eradication phase. By this point, there was a good understanding of access, and which accounts the threat actor had access to. In order to assist with possible post-containment activity, an Endpoint Detection and Response (EDR) solution was put in place.
Result
With everything in place, the customer blocked access via the VPN and Remote Desktop (RD) gateway, then reset passwords on all known compromised accounts. Soon after, failures began popping up on the RD gateway- the threat actor was frantically trying to return. However, continued EDR analysis found no evidence that they successfully regained access to the network.
At the end of the engagement, the client was supplied with a full written report that included detailed accounts of evidence, executive and technical summaries, and recommendations for security improvement.
NCC Group has since become a trusted advisor to the organization and continues to work together closely; we recently rolled out an Endpoint Detection and Response (EDR) capability across its entire estate.
Get started on your cyber security journey.
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cyber security needs.