Global marketing company enlists Unit 42 to investigate a smishing campaign turned data breach

When a global marketing company identified suspicious activity in one of their administrator accounts, they brought in Unit 42 to investigate. Initially, the client believed that only a single account with about 200 users had been breached. But as soon as Unit 42 began to investigate, the team discovered 20 to 30 compromised accounts— representing thousands of users—and potential compromise in a dozen other apps connected to the portal.

There was another complicating factor. The breached accounts were customer support accounts, which customer service representatives regularly logged in to legitimately. Now Unit 42 had to sift those legitimate activities from the illicit ones, across hundreds of thousands of records and logs.

Whenever a business is breached, it’s a stressful situation. In this case, the stress was compounded by the fact that quite a few accounts may have required notification. And if the infiltration had spread to downstream customers— major global organizations themselves—it could have had catastrophic consequences for the client.

With such high stakes, the client needed answers immediately. They asked Unit 42 to identify exactly what had happened: which accounts were compromised, what data was accessed or stolen, and how to evaluate their risk as a whole.

Remediation was also essential. The client tasked Unit 42 with minimizing damage to existing systems and financial records—and evicting the attacker from the environment as quickly as possible.

How had the breach happened? The means of attack was smishing. The threat actor used the name of the company’s single sign-on (SSO) provider, which the victims regularly used to log in to their business apps. When the request to “fix” their login credentials came in via text, victims clicked on the link and were taken to a landing page that looked legitimate, complete with the company logo and branding. Victims even got the usual multifactor authentication prompt—only in this case, the threat actor was the one on the backend, capturing all the information as it came in.

As soon as Unit 42 engages with a client, they loop in the Threat Intelligence team with collected indicators of compromise, as the team has a robust repository of threat actor information collected from the many thousands of investigations they’ve run over the years.

In this case, Unit 42 was able to almost immediately identify the threat actor—a group known as Muddled Libra— because the Threat Intelligence team was already tracking them. That shaved off days of investigation time.

“We knew the infrastructure for this group, their domains, where they were coming from,” says Chris Brewer, Unit 42 consulting director. “So we were able to preemptively block additional phishing domains and smishing architecture that was set up but not in use.” That gave Unit 42 a head start—crucial in any cyberattack, when time is of the essence.

Although it was extremely useful to immediately establish the identity of the threat actor, unfortunately this specific threat actor happened to be a tenacious operator. “They don’t give up,” Brewer says. “You kick them out, and they keep coming back.”

Data analysis surfaces compromised accounts

In any investigation, Unit 42 leverages the client’s infrastructure as much as possible. In this case, they used some of the log aggregation tools and built-in analytics to identify the compromised user accounts and which activity was legitimate versus not.

One important tool is statistical analysis. The Unit 42 team began by baselining the number of times per day an administrator would typically log in to a user account; the answer was 10 to 15. Then, when the team looked at the data as a whole, they saw spikes of 100 times a day. They dug into those spikes and found keyword searches for cryptocurrency, banking, and financial institutions—Muddled Libra at work.

Unit 42 also found anomalies in the VPN data log. For example, a user might have connected from Florida and then South America in immediate succession—a physical impossibility. And when the team looked at user agent strings (unique identifiers from browsers), they saw an old version of Google Chrome. Given that most large organizations have patch management policies in place, this was a flag, and it turned out to be another compromised account.

Containment cuts off the bad actors

As soon as the compromised accounts were identified, Unit 42 cut them off, blocking IP addresses and geolocations (that is, blocking countries that weren’t typically connecting to the environment through the admin portal).

Then Unit 42 had to reset employee passwords and credentials—about 10,000 of them—without downtime or disruptions to employee productivity. They did it strategically, targeting the administrator portal and administrator access first.

Unit 42 also worked with the client’s HR and legal teams to notify the employees that the business was under attack, advising everyone to be on alert for smishing messages.

True to form, the tenacious attacker returns

But it wasn’t over. After the smishing and VPN access attempts were stopped, Muddled Libra struck again. This time, they used a combination of phishing and a lookalike domain, replacing the letter “i” with an “l” in the company’s name. Once again, they asked users to reauthenticate their credentials in the company portal, and they successfully lured victims.

In response, the Unit 42 Threat Intelligence team began monitoring in real time for any newly created domains related to the marketing company’s organizations, preemptively blocking those domains and successfully thwarting this second attack.

Muddled Libra made one more attempt. And this time, says Brewer, “the bad guys were really creative.” They had various individuals call the help desk and, using the employee details they had gathered in the earlier attacks (names, user IDs, employee numbers), claim that they’d gotten a new phone and needed to reset their multifactor authentication credentials. While the attacker’s savviness regained them access to the environment, Unit 42 was able to immediately kick them out, as the team was on high alert from having seen these tactics from them before.

Threat intelligence is a key accelerator

The investigation was complete and the breach remediated within five weeks—thanks in part to the support of the Unit 42 Threat Intelligence team.

After the attacks, Unit 42 continued to monitor the VPN connections and look for anomalous logins while the Threat Intelligence team searched for new chatter on the dark web, looking for the client’s name on Telegram channels and proactively monitoring for lookalike domain creations.

Before long, the threat actor had gone silent, and no new attacks were detected.

Keeping the client—and the C-suite—informed

Throughout a Unit 42 investigation, communication is a priority. “We always give updates to the C-suite, to the board of directors,” Brewer says. “And with a major incident like this, we’re frequently doing daily status updates, walking them through the investigation from top to bottom.”

Reporting is an important component, too, delivered at the end of the engagement.

In the case of the Muddled Libra attacks, the report included all the available information about the compromised accounts and the threat actor as well as the impact on the client. It also identified all the data at risk, which is important for legal accountability down the road.

Frequently, a Unit 42 report goes beyond the written document. “We’ll do a verbal readout with a slide deck presentation,” Brewer says. For the C-suite, the team also addresses the high-level strategic issues so the presentation is relevant and connected with the audience’s goals.

The client was already fairly mature in their information security policies and tooling, with multifactor authentication and a VPN in place. But, Brewer says, “They hadn’t really thought about the full scope of what could potentially happen. Until it did.”

Unit 42 walked the client through the big-picture thinking, providing recommendations for how to become a more secure organization. Those recommendations included monitoring the dark web, preemptively registering lookalike domains, conducting user awareness training, and tightening their defenses and overall security posture.

Now, Brewer says, the client has a great future ahead of them. “They’ve gone through the storm, they remediated, and they have clear steps toward becoming more secure. That’s going to put them in a better position.”

Palo Alto Networks Unit 42® brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that is passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.

If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit start.paloaltonetworks.com/contact-unit42.html to connect with a team member.

If you’re concerned you’ve been affected by an APT attack and/or the TiltedTemple campaign, Unit 42 is ready to help assess your risk and remediate the incident. Call us at North America toll free: +1.866.486.4842 (+1.866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200, or get in touch by visiting start.paloaltonetworks.com/contact-unit42.html.