Blog | Digital Risk Protection

Possible learnings after a targeted attack attempt

Written by Fabio F. Ramos | Jun 9, 2023 8:11:53 PM

Although I have been living in Information Security for more than 20 years, this is the first time I am reporting from the other side of the equation on an attempted attack on Axur. Usually the companies attacked are our customers, but as a cybersecurity company, we're no strangers to being targeted by malicious actors. 

It is important to make it clear that no data was exposed in the incident - either internal or customer data. Nevertheless, this article talks about how we dealt with the attempt, especially what are the main lessons we can share with more companies. 

This story begins on December 29, 2022, when I received via Slack alerts of suspicious domains using Axur's name.  The domain still had no content and we did not know what the intentions of the person who registered the name "axurbrasil.com" were. 

In the following days, we detected other domains such as "axur.info" and "axur.cc", "axur.live", among others. All without content, but with DNS configured.

We moved everyone to the quarantine section of the platform. There we monitored the behavior of the domain and any changes that indicated that the fraudster would put a page up or was preparing to send emails using that domain. We were very afraid of seeing an MX set up, which could be a strong indication of a spear phishing attack. 

On March 8, I received an unusual phone call. It was a Wednesday and I was finishing up a video meeting and getting ready to help my son with some homework.  The person on the other end of the line was the head of our Threat Intelligence team. He was telling me that one of the monitored domains had changed its status to mirror the login section of the Axur platform.

 

The screenshot of the similar domain.

 

We started to think about the motivations behind the attack. It could be a criminal angry that we detected and removed their campaigns, someone trying to access our customers and partners' data, or even social engineering attacks being carried out in Axur's name, such as money order scams.

Phishing could also expose our team trying to steal a privileged access credential, which is often the classic start of an extortion attack. If our team did not use the second factor authentication and did not receive constant training on how to identify phishing, the attack could also expose us to the risk of a privileged access credential leak.

Regardless of the motivation, we needed to act. We went on to create the war room, and at this point I felt like I was wearing our customers' shoes.

The concern is different for each sector of the company. While the Customer Success team thought about each customer and how they could be affected, the administrative team thought about each outcome that could come from spear phishing and the marketing team worried about the possible damage to Axur's image if the attack was successful.

 

The Action Plan

We divided our action plan into three parts, which were, briefly:


1. Scope of visibility 
To make sure we were monitoring the entire external environment and new detections that could arise such as fake social media profiles and mentions in deep & dark web groups and forums.
2. Communication
We developed a communication plan for our customers and partners, without alarmism, but making clear the threat with full transparency. 
3. Response 
There is a lot of talk about agile response, and on this day, I understood perfectly the weight of seconds passing and the more the clock ticked, the greater the chance of someone being a victim of this phishing involving Axur. The third step was to remove the page requesting the takedown, notifying the providers and triggering the anti-fraud mechanisms. Thanks to our experience in notifying thousands of such cases daily, we were able to remove the phishing in less than 2 hours.


From there we also deepened the investigation to understand who was the threat actor behind this attack. This point, of course, I cannot open here.

Once the risk had passed, we thought a lot about the attempted attack and what our role could be in supporting companies that do not yet have this kind of monitoring. 

The big dilemma for a company going through the same thing is: how to detect suspicious domains in a universe of hundreds of thousands of new domains that are registered every day? And, immediately after identifying a suspicious domain, to be alerted in case that domain goes up a web server with content, or configure MX - which means that the domain will be used to send emails.

We then devised a free solution to make domain monitoring more accessible to security teams, managers and analysts in companies. 

 

How Domain Watchdog works

Domain Watchdog is an online tool that makes it easy to detect and monitor domains with names similar to your company's. In Axur's case, the variations "axur.cc", "axur.info" and "axur.live" would be easily detected by this tool. In addition, you can also monitor up to 20 domains and be alerted if a DNS or MX is configured or responds to port 80 or 443.

From this incident, lessons are learned, processes established, and the certainty that monitoring is always the best way to mitigate impacts and react to threats.

Also left as a result is the Domain Watchdog, which you can test by visiting this link watchdog.axur.io. If it makes sense for you, start monitoring suspicious domains using your company name.
View full post