Irregular Expressions

Nov 22 2012   10:52PM GMT

South Carolina Department of Revenue Incident Report

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Some very interesting information in this report.

What really sticks out to me is;
1) This appears to have been targeted, the phishing attack. I wish it would say but I would think that what ever malware was executed by the email was modified to help avoid detection.

2) The account used to start the attack was gathered using the initial pish (they think). They were then used to login to remote services. If you are running remote access like Citrix or RDP, it would be best to try and place these behind another set of logins such as VPN. Then add on something like RSA’s SecureID. This way even if the name and password is stolen the still cannot be used with out the token.

3) The speed of the attack is fairly impressive. There was some recon as the attacker looked around the networking then about 10 days later they appear to dump anything they felt had value and ex-filtrated it out of the network.

4) The encrypted database dumps that were removed from the network also had their encryption key’s stolen. But those keys where encrypted, so it appears that it’s protected. The encryption was 256-AES, while not totally impossible, it should be beyond reach with a strong key.

Isn’t it neat the information you can collect from digital forensics?

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: