Despite all preventive measures, cyber criminals repeatedly succeed in infiltrating companies' systems through novel methods. In such cases, a quick response is crucial to avoid further damage. PwC's Cyber Threat Operations team was confronted with such a case in September 2020, when the cybercrime organisation TA505 carried out a novel malware campaign.
Several clients of the Managed Cyber Defence (MCD) programme – a cybersecurity service of PwC – were exposed to this attack. In one case, the attackers managed to break through all preventive protection measures and compromise a target system. Thanks to automated security systems, the incident was quickly detected. A race against time began.
Your expert for questions
Leader Cyber Security & Privacy Financial, PwC Germany
Tel.: +49 69 9585-1022
On 11 September at 11:28 a.m., a customer's early detection system sounded the alarm. A phishing email had managed to bypass all automated protection mechanisms including the email filtering system and landed on a company computer. The email looked trustworthy but contained a word document with malicious macro code. One click was enough to compromise the system and open a gateway into the company’s network for the attackers.
The criminal organisation TA505, which has been active since 2014, was responsible for the attack. Originally, the group primarily carried out malware attacks for third-party actors. Then it also focused on its own campaigns with self-developed malware. Since 2019, the group has been using a common ransomware scam with the CL0P malware. It gains access to corporate networks, steals data, encrypts as many systems as possible and threatens to leak confidential data on a self-operated platform – unless the company pays a high ransom.
Knowledge of the attacker TA505 proved to be a decisive factor in recognising the malicious potential of the infiltrated email in good time. In the run-up to the attack, PwC's Cyber Threat Operations Team analysed the unique techniques, tactics and procedures characterising TA505 and created so-called indicators of compromise (IOCs). IOCs are special artefacts of IT forensics such as checksums of malware files or URLs. Special software called User Entity and Behaviour Analytics, or UEBA utilises these artefacts to successfully register and report suspicious user behaviour. It immediately sounded the alarm when it recognised the "fingerprints" of TA505 during an automated scan.
There was no time to lose in the defensive response. Autonomously acting security systems and bots worked hand in hand with human experts. First, a bot analysed the data of the incident and compared it with all predefined indicators of compromise. The alarm was classified as critical. At 11:32 a.m. – just four minutes after the detected incident – an analyst from the MCD team examined the attack chain and the affected data. He confirmed the threat and isolated the affected system. The malicious code was moved to a cloud sandbox – a protected and isolated area where the malware could not cause any damage. The goal of this was to prevent the malware from spreading internally and to block possible data theft and further exploration of the system landscape. The client's security operations team was informed via a messaging solution and kept up to date in real time. By 11:35 am, the immediate threat was contained – seven minutes after the initial alert.
This short response time was only possible thanks to the automated security systems. They communicated the critical incident to the analysts of the MCD team – and in parallel processed 85 other warnings in the background, which were given lower priority. Already within the 24 hours before the incident, the systems independently processed 50 cases that turned out to be false alarms. The use of bots gives human cyber analysts the freedom to react quickly and prioritise between the critical and non-critical cases.
Even after the immediate threat was stopped, further measures ensured that the attack was completely averted. Among other things, the MCD team checked all relevant connection data. Affected files and other items were sent to a specialised team at PwC for root cause analysis. It analysed the attack and provided additional compromise indicators for the automated systems. These measures were aimed at combating multiple malware website redirects, other tactical moves by the attackers – and, most importantly, detecting new attack attempts on an ad hoc basis. In the process, the team identified a second infected workstation, which was immediately isolated.
Finally, to complete the clean up of the client´s systems and ensure that no further attacks would go through, the MCD team removed all traces of the files associated with the attack chain from the affected systems – including the executed malware and any other existing virus droppers that landed on the drives in the course of the attack. In addition, the customer was advised to reset the login data of all affected user accounts. The incident was successfully resolved with no data loss or further damage.
This incident again shows very well that the threat potential of hacker attacks continues to grow. This is mainly due to two factors: First, hackers are more frequently acting as groups to develop new and, above all, more effective malware and attack strategies. Second, the fact that – due to the current home office situation – many more attack opportunities have arisen for hackers. Many companies request from their employees to work from home and are therefore more vulnerable to further cyber attacks. The reason why remote working generates so many dangers is mainly because the employee is no longer behind the company's firewall, but behind the standard firewall of their modem router. These routers in particular offer very little protection for sensitive company data.
In order to keep up with the hackers' current attack practices, it is important for companies to invest in new solutions and to constantly update their cyber defence strategy. To enable companies to quickly achieve strong protection without any fixed costs, PwC has developed a managed service called MCD (Managed Cyber Defence) which specialises on the detection and reaction to such particular forms of attack. Companies that benefit from MCD are not only protected in the event of an ongoing attack, but also detect hackers have already invaded the company´s network.
Our quarterly newsletter brings you the latest developments in cybersecurity and data protection. Our aim is to give you ideas on how to use these developments to create strategies and implement them in the long term, in line with your corporate goals.