This Anatomy of an Attacker report will share a summary of the cyber attacker activities recently discovered within the facilities of a major global manufacturer. In this report we summarize and overview this attack, share our view to some of the incidents of compromise, and provide evidence of the unique efficacy of deception technology in conclusively identifying cyber attacker activity.
This manufacturer has many thousands of computer endpoints, a wide variety of industrial control system components, and connects to and services a global network of business partners and customers. ShadowPlex was installed within several of the VLANS within the manufacturer’s primary facility. This provided coverage for approximately 300 endpoints which were part of those VLANs. ShadowPlex was configured to auto-install ten (10) camouflaged deception decoys within the network.
Shortly after the installation of ShadowPlex deception platform the manufacturer’s security operations center was alerted to a stream of alerts generated by ShadowPlex. These high confidence alerts identified the movements and activities of a sophisticated attacker that apparently had access to resources within the internal networks. Subsequently ShadowPlex noted that the attacker continued to move laterally through the networks, and continued to gain access to multiple user accounts. This access to the authentication data of multiple accounts is a source of high concern and the internal SOC team continues to monitor the movements and tactics of this attacker.
Initially, this attacker used malware which attempted to exploit the EternalBlue vulnerability. EternalBlue works by exploiting the Microsoft Server Message Block 1.0. Many types of malware tools, such as WannaCry and Petya ransomware, have leveraged the EternalBlue exploit successfully.
IP addresses are obfuscated or hidden to protect the identity of the manufacturer, and protect the confidentiality of any law enforcement investigations which might be ongoing at this time.