Develop the Intelligence Debriefing

Security Incident Report / SITREP #2017-Month-Report#

Incident Detector’s Information

Date/Time of Report

3/9/2023

First Name

Team

Last Name

UK

OPDIV

United Kingdom

Title/Position

Cyber Analyst

Work Email Address

[email protected]

Contact Phone Numbers

Work 425-434-7986

Government Mobile

Government Pager

Other

Reported Incident Information

Initial Report Filed With (Name, Organization)

UK Cyber Security Summit Team

Start Date/Time

3/8/2023

Incident Location

Digital Investigations

Incident Point of Contact (if different than above)

N/A

Priority

Level 1

Possible Violation of ISO/IEC 27002:2013

Control A.12.2.1 (Controls against Malware)

YES- Improper security awareness & system controls, as well as a Failure to Implement a Security Policy

Privacy Information - ISO 27000 (Country Privacy Act Law)

Was the incident a violation of ISO 27000? No

Did the target suffer an adverse effect?

/ As a result, was the OPDIV the direct or proximate cause of the adverse effect? - No

\ Was the violation intentional or willful? - Willful

/ Was the personally identifiable information used maliciously? -No

Incident Type

Dos Attack resulted in lockdown of the system until ransom was paid (Reveton Attack)

US-CERT Category

Category 2- DoS attack

Category 3 Ransomware

CERT Submission Number, where it exists

Identify and document CERT that represented nation would report to, where it exists; otherwise relevant organization

Description

The system was infected with malicious code because of a phishing attack. This attack enabled an attacker to perform a second-stage ransomware attack encrypting organizational data.

Additional Support Action Requested

Method Detected

Wireshark, IPS, Log Review, Summit computers

Number of Hosts Affected

1

OPDIV / Department Impact

HR Department

Summit members were unable to access the confidential data.

Information Sharing

Entities within the Five Eyes (FVEY) Alliance US-CERT can share incident data.

System

Human Resources Server

Status

Ongoing

Attacking Computer(s) Information

IP Address / Range

Host Name

Operating System

Ports Targeted

System Purpose

192.168.10.112

NIXRCC01

CENTOS

49810

Attacking Platform

Victim's Computer(s) Information

IP Address / Range

Host Name

Operating System

Ports Targeted

System Purpose

192.168.10.211

Internal.nationstate.cyb670/r/n

Windows 10

80

HR Computer

Action Plan

Action Description

Per CISO’s directions, continue to monitor for possible data exfiltration; SLA is in

place and approved for network monitoring.

Requestor

HR Department via Digital Investigations Team recommendation

Assignee

Team United Kingdom

Time Frame

Immediately

Status

Urgent

Conclusion / Summary

Entities Notified

All FVEY Summit Members

Resolution

An excel file included in a phishing email was used to launch a ransomware attacks. The infected device was removed from the network to prevent the infection from spreading further. Once a decryption was discovered, the encrypted files could be recovered. By doing so, the attacker’s $5,000 ransom demand was evaded, and the vulnerabilities were patched. Snort rules warn about upcoming ransomware attacks and new antivirus signatures. Employment training for phishing emails was given to the HR department.