EXECUTIVE SUMMARY:

A recent report disclosed breaches of tech and aviation companies that occurred via cloud-based services. The attack highlights the need to implement best practices when it comes to sharing and storing plain-text network credentials or sensitive VPN/network access instructions on easily accessible platforms.

Researchers discovered the attack while conducting incident response activities beginning in October 2019 and lasting through April of 2020. However, the illegal cyber activities began well in advance of this timeframe. At least one attack was set in motion as early as 2017.

“The three-year dwell time is much longer than what we typically see during incident response investigations, which is often weeks or months,” says global threat expert, Christo Butcher.

The cyber criminal or criminals involved in this event relied on a combination of credential stuffing, password spraying and brute-force techniques to move further and further into systems.

“In one specific case, the adversary…was able to access a document stored in SharePoint Online, part of Microsoft Office 365,” notes the report about the attack. “This specific document described how to access the internet-facing company portal and the web-based VPN client [that leads] into the company network.”

The hackers managed to maneuver around multi-factor authentication screens for a successful intrusion attempt. They also managed a series of other sophisticated and alarming feats. To read about the full extent of the hacker or hackers’ stealthy activities, check out this article from SC Magazine.