Restoring a software and services provider’s cloud environment after a breach

When a software and services provider’s security team received an alert that an account on the network had attempted a privilege escalation on a domain controller, they took action and discovered an attack in progress.

The security team logged into the domain controller and determined there was an active session with that account. So they killed the session and disabled the account in Active Directory, blocking the account that the threat actor was using.

The client didn’t realize how serious the attack was until the Lapsus$ threat actor engaged with a member of the client’s security team in chat, writing, “Why did you do that to me? Now I’m gonna delete all of your cloud environments.” Then the attacker did just that: deleted all virtual machines and accounts in the organization’s cloud environment, including its email. That effectively shut the company down. After the client lost access to its cloud environment, their panic level went up to 10.

The client’s leadership quickly recognized that this incident was more serious than the in-house security team could handle on its own. They contacted Palo Alto Networks Unit 42 Incident Response team, whose experts can quickly investigate and respond to cyberattacks.

Unit 42 specializes in cloud incident response and responds to hundreds of these types of breaches each year. As a result, its experts have an understanding of what threat actors are doing, why they’re doing it, and what sequence of actions they’re using in an attack. Hacking isn’t magic. It’s a step-by-step process. Unit 42 investigators understand this process, and know how to stop attacks.

Unit 42’s first action was to completely remove Lapsus$ from the environment. The team isolated the environment, then cut off all internet access so that nobody could get in or out. This stopped the threat actor from doing any more damage to the client’s systems.

Next, Unit 42 investigators had to understand what access the threat actor had, what they’d done, and how they’d taken each malicious action. Without that information, there was no good way to stop the attacker, undo the damage, and prevent them from getting back in.

Unit 42 locked Lapsus$ out permanently by deleting or changing passwords for all of the accounts to which the attacker had gained access. Investigators also put in place additional security precautions to make the environment more resilient against future attacks.

At this point, the Unit 42 Incident Response team met with the client’s CISO, CIO, and security staff to report its findings, sharing a flowchart illustrating the threat actor’s movement through the environment, including what was accessed on what days and times.

Unit 42’s incident response experts got the client back in business after being down for over a week.

Unit 42 also provided a comprehensive cyber security assessment of the client’s systems. The assessment showed that while the client already had a comparatively strong security posture, there were still vulnerabilities that could be exploited by threat actors.

Completing its engagement, Unit 42 was not only able to get the client back in business, but also strengthened the company’s defenses to be stronger than ever.

Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.

If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit start.paloaltonetworks.com/contact-unit42.html to connect with a team member.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team at start.paloaltonetworks.com/contact-unit42.html or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.