The attack successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials. The stolen user data was sent to these servers where it was saved in files that were public and were indexed by Google thus allowing anyone to view them through a simple search. Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors
Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy.
What to do?
- Ensure your network security software is up to date and active.
- Conduct routine employee training on cyber threats and techniques such as phishing
- Perform routine system checks to identify any possible breaches.
- Perform routine backups and store copies off site in a secure location.
What can you do to when this happens to you?
- If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
- Determine if any data has been modified or exfiltrated.
- If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
- Reinstate the network from a known “clean” backup