Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

guest · Mar 10, 2020

Microsoft shares nightmare tale: 6 sets of hackers on a customer's network
Microsoft reveals its first report on incident response work
March 10, 2020
https://www.zdnet.com/article/micro...ale-6-sets-of-hackers-on-a-customers-network/

Microsoft's first report from its Detection and Response Team (DART), which helps customers in deep cyber trouble, details the case of a large customer with six threat actors simultaneously on its network, including one state-sponsored hacker group that had been stealing data and email for 243 days.

Its first report details an advanced persistent threat (APT) attacker that stole administrator credentials to penetrate the target's network and steal sensitive data and emails.
Notably, the customer was not using multi-factor authentication (MFA), which could have prevented the breach.

In this case, the main attacker used a password-spraying attack to grab the customer's Office 365 admin credentials and from there searched mailboxes to find more credentials shared among employees in emails. DART found the attacker was looking for intellectual property in certain markets.
Click to expand...

"This investigation lasted more than seven months and revealed a possible compromise of sensitive information – pertaining to the victim and the victim's customers – stored in Office 365 mailboxes. 243 days after the initial compromise, DART was then brought in to work alongside the incident-response vendor and the company's in-house teams," Microsoft says.
Click to expand...

Microsoft: Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

DART Case Report 001: …And Then There Were Six (PDF): https://www.microsoft.com/security/blog/then-there-were-six/

Case Report 001 is a story of cybercrime when DART was called in to help identify and evict an attacker, only to discover there were already 5 more adversaries in the same environment.
Click to expand...

guest · Apr 3, 2020

Microsoft: How one Emotet infection took out this organization's entire network
An Emotet victim's IT disaster shows why organizations should filter internal emails and use two-factor authentication
April 3, 2020
https://www.zdnet.com/article/micro...n-took-out-this-organizations-entire-network/

Microsoft has detailed the plight of a customer whose entire IT network was brought down after one employee opened a phishing email that delivered the notorious Emotet banking trojan and credential-stealing malware.

Details in Microsoft's account of incident response work for a company it calls 'Fabrikam' line up with a cybersecurity incident disclosed by the US city of Allentown, Pennsylvania, in February 2018, which it expected would cost it $1m to recover from.
The attack knocked out the city's core systems, including its network of 185 surveillance cameras, Associated Press reported at the time.

According to Microsoft, Fabrikam called in Microsoft's Cybersecurity Solutions Group's Detection and Response Team (DART) eight days after the employee had opened the phishing email, by which time its computers and critical systems were failing and its network bandwidth had been completely overrun by Emotet.
Click to expand...

Microsoft: Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team

We received significant positive response from our customers and colleagues and our team has been getting inquiries asking for more reports. We are glad to share the DART Case Report 002: Full Operational Shutdown.

In the report 002, we cover an actual incident response engagement where a polymorphic malware spread through the entire network of an organization. After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services.
In our report, you can read the details of the attack and how DART responded, review the attack lateral progression diagram and learn best practices from DART experts.
Click to expand...

DART Case Report 002: Full Operational Shutdown (PDF - 957 KB):
https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/Case-study_Full-Operational-Shutdown_DART.pdf

Log in or Sign up

Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

guest Guest

guest Guest

Log in or Sign up

Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

guest Guest

guest Guest

Useful Searches