Dragos Employee Hacked, Revealing Ransomware, Extortion Scheme

One might argue that security companies should be more prepared than most organizations to defend against a cyberattack. That was the case at Dragos recently, when a known ransomware group attempted, but failed, to extort money from the security vendor in a socially engineered attack that occurred after it compromised a new employee's personal email account.

The attack occurred May 8, with attackers gaining access to SharePoint and the Dragos contract management system by compromising the personal email address of a new sales employee prior to the person's start date, the company revealed in a blog post on May 10. The attacker then used stolen personal information from the hack to impersonate the employee and accomplish initial steps in Dragos' employee-onboarding process.

Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure, the company said.

"No Dragos systems were breached, including anything related to the Dragos Platform," according to the post.

However, the attackers didn't stop there. Once the group's initial compromise and ransomware strategy was unsuccessful, it quickly "pivoted to attempting to extort Dragos to avoid public disclosure," the company said. Attackers did this by sending a flurry of messages to Dragos executives that threatened to reveal the attack publicly if they weren't paid off.

In a creepy twist, the group even went so far as to get personal in the messages, making references to the family members and personal contacts of Dragos employees, as well as sending emails to the personal accounts of senior Dragos employees to elicit a response.

The company ultimately decided that "the best response was to not engage with the criminals," and managed to contain the incident, according to the post.

Still, Dragos acknowledged a data loss that will likely result in a public leak of information because the company chose not to pay a ransom, which is "regrettable." However, the company sticks by its decision not to engage or negotiate with cybercriminals, it said.

Promoting Cyber Transparency

It's not often that security companies reveal attacks that they experience, but Dragos said that it decided to do so as an example of how to defuse a security breach before it causes significant damage. Also, it wanted to "help de-stigmatize security events," the company wrote in the post.

Indeed, as security incidents have proven time and again, no company — not even ones that seem firmly locked down — is safe from attack, particularly with the current level of attackers' cleverness and sophistication when using social engineering tactics, according to one security expert.

In fact, the Dragos narrative "is one of the rare stories where you hear about a truly crafted social engineering attempt and a quick discovery which led to minimal damage," Roger Grimes, data-driven defense evangelist at security firm KnowBe4, wrote in an emailed statement.

The incident should drive awareness to "the very active social-engineering scams that are happening in the hiring space" in particular, he wrote. In fact, not every company is so lucky, nor defends itself so well, Grimes noted.

"There are also many stories of employers hiring fake employees who existed only to steal and scam from their employer, fake employees who actually didn't know their job and just collected paychecks until they were fired, and scams the other way where legitimate job seekers were scammed while seeking employment," he says.

Response & Internal Mitigation Is Key During a Cyberattack

While an investigation into the incident is ongoing, Dragos was able to prevent a more serious attack due to swift response and a layered security approach by the company, which should provide a blueprint for others, according to the post.

The company investigated alerts in its corporate security information and event management (SIEM) and blocked the compromised account, as well as activated its incident response retainer with a service provider, and engaged a third-party monitoring, detection and response (MDR) provider to manage incident-response efforts.

"Verbose system activity logs enabled the rapid triage and containment of this security event," the company said.

To avoid similar attacks in the future, the company said it has added an additional verification step to further harden its new-employee onboarding process to ensure that the technique used in the attack won't be repeated.

Moreover, since every thwarted access attempt was due to multistep access approval, Dragos also is evaluating the expansion of this strategy to other systems based on how critical they are.

Cyber-Resilience Advice for Other Organizations

Dragos also made some recommendations for other organizations to help avoid a similar attack scenario. The company advised that the hardening of identity and access management infrastructure and processes is ultimately a baseline linchpin for every organization looking for cyber resilience. And it's a good idea to implement separation of duties across the enterprise so no one person has full run of the environment.

Organizations also should apply the principle of least privilege to all systems and services, and implement multifactor authentication wherever possible, the company said.

Other steps for avoiding a similar employee compromise like Dragos suffered include applying explicit blocks for known bad IP addresses, and scrutinizing incoming emails for typical phishing triggers, including the email address, URL, and spelling.

Finally, organizations overall should ensure that continuous security monitoring is in place, with tested incident response playbooks ready in case an attack does occur, according to Dragos.