|
Security Incident Report / SITREP #2017-Month-Report#
|
|
Incident Detector’s Information
|
|
Date/Time of Report
|
15/02/2018 1.40 p.m.
|
|
First Name
|
Amanda
|
|
Last Name
|
Smith
|
|
OPDIV
|
Avitel/Information Security
|
|
Title/Position
|
System Analyst
|
|
Work Email Address
|
[email protected]
|
|
Contact Phone Numbers
|
Work 321-527-4477
|
Government Mobile
|
Government Pager
|
Other
|
|
Reported Incident Information
|
|
Initial Report Filed With (Name, Organization)
|
CISO, Avitel Analysts
|
|
Start Date/Time
|
15/02/2018
|
|
Incident Location
|
HR Office
|
|
Incident Point of Contact (if different than above)
|
Internal Ransomware
|
|
Priority
|
Level 2
|
|
Possible Violation of ISO/IEC 27002:2013
|
YES ISO/IEC 27002
|
|
Privacy Information - ISO 27000 (Country Privacy Act Law)
|
The incident violated ISO 27000. The attack is an indication of failure in the state of the corporate network or existing security policies.
The target suffered adversely by limiting the conference participants from accessing the network resources. The violation was intentional.
|
|
Incident Type
|
Alteration of information from the server. There are database queries indicating that the attack involved modifying some entries in the database.
|
|
US-CERT Category
|
Ransomware/ Unauthorized Access
|
|
CERT Submission Number, where it exists
|
The ransomware attack can be reported to the CCIRC Canadian Cyber Incidence Response Centre Team for an appropriate response to the incident.
|
|
Description
|
The ransomware makes it quite difficult to guess the password unless the conference participants pay the demanded amount. The Crypto-ransomware locks the system unless the system is unlocked via the password.
1. User asked to update links
2. User disables security controls
3. Malware opens a command prompt
4. The script uploads the files attackescript.txt and ransomware.exe to the WordPress site internal.nationstate.cyb670
5. Two files (attackscript.exe and ransomware.txt) were then downloaded to VM and the user files are then encrypted
|
|
Additional Support Action Requested
|
Detection of possible breach of internal control policies.
|
|
Method Detected
|
Log Reviews and Intrusion Detection Systems were used to identify the incident. Diagnostics and monitoring tools identified essential leads for the ransomware attack into the organization’s network.
|
|
Number of Hosts Affected
|
120
|
|
OPDIV / Department Impact
|
Low – Medium
|
|
Information Sharing
|
|
|
System
|
Entire Network within the organization (Windows)
|
|
Status
|
Ongoing
|
|
Attacking Computer(s) Information
|
|
IP Address / Range
|
Host Name
|
Operating System
|
Ports Targeted
|
System Purpose
|
|
52.94.225.236
|
Internal.nationstate.cyb670
|
Windows 7
|
443,80
|
Attack System
|
|
|
|
|
|
|
|
Victim's Computer(s) Information
|
|
IP Address / Range
|
Host Name
|
Operating System
|
Ports Targeted
|
System Purpose
|
|
172.21.21.232
|
N/A
|
Windows7/Mac
|
80, 443
|
HR System
|
|
|
|
|
|
|
|
Action Plan
|
|
Action Description
|
Control further attack by the m
|
|
Requestor
|
CISO
|
|
Assignee
|
Head, Information Security, CISO
|
|
Time Frame
|
12 hours
|
|
Status
|
Ongoing
|
|
Conclusion / Summary
|
|
Entities Notified
|
Departmental Head, CIO, CISO, IT Manager, VP Operations, and FVEY
|
|
Resolution
|
The information security team seeks to control the ransomware attack without making any payment in Bitcoin currency. Using Wireshark and other tools IT team was able to recover password and decrypt all files that were encrypted. Was also able to create Snort and Yara rules to help detect any other possible attacks like this on our system
|
necolas00073
710441764.docx
