Industrial cybersecurity company Dragos today disclosed what it describes as a “cybersecurity event” after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.
While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company’s SharePoint cloud service and contract management system.
“On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform,” the company said.
“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.”
After breaching Dragos’ SharePoint cloud platform, the attackers downloaded “general use data” and accessed 25 intel reports that were usually only available to customers.
During the 16 hours they had access to the employee’s account, the threat actors failed to also access multiple Dragos systems—including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems—due to role-based access control (RBAC) rules.
After failing to breach the company’s internal network, they sent an extortion email to Dragos executives 11 hours into the attack. The message was read 5 hours later because it was sent outside business hours.
Five minutes after reading the extortion message, Dragos disabled the compromised sure account, revoked all active sessions, and blocked the cybercriminals’ infrastructure from accessing company resources.
“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” Dragos said.
“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”
The cybercrime group also attempted to extort the company by threatening to publicly disclose the incident in messages sent via public contacts and personal emails belonging to Dragos executives, senior employees, and their family members.
“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,” Dragos concluded.
One of the IP addresses listed in the IOCs (144.202.42[.]216) was previously spotted hosting SystemBC malware and Cobalt Strike, both commonly used by ransomware gangs for remote access to compromised systems.
CTI Researcher Will Thomas from Equinix told BleepingComputer that SystemBC has been used by numerous ransomware gangs, including Conti, ViceSociety, BlackCat, Quantum, Zeppelin, and Play, making it hard to pinpoint what threat actor is behind the attack.
Thomas said that the IP address has also been seen used in recent BlackBasta ransomware attacks, possibly narrowing down the suspects.
A Dragos spokesperson said they’d reply later when BleepingComputer reached out for more details on the cybercrime group behind this incident.