Module 9 Incident Response Template

Bellevue Bank and Trust Cybersecurity Incident Report Juan Rodriguez Reported By: Mike Simms Date of Report: Thursday, September 17, 2023 Title/Role: Junior Analyst Incident No: 02 Incident Severity: Negligible: Minor: Severe: Critical: X TLP: White: Green: Amber: Red: X CYBERSECURITY INCIDENT INFORMATION Date of Incident: Thursday, September 17, 2023 Time of Incident: 9:48 a.m. CST Incident Manager: Bruce Edwards Title/Role: Security Operation Center Manager Phone: 123-458-4100 Email: Bedwards@bbtrust.org Location: Bellevue, NE Specific Area: Bellevue Bank and Trust Incident Type: Ransomware No. of Hosts Affected: 3 Source IP Address IP Address: 10.103.14.47, 10.103.52.55, 10.104.25.6 Computer/Host: Operating Systems: Windows Other Applications: Incident Background: On Wednesday, September 15, 2021, at 6:00 PM CST, the Security Operation Center (SOC) detected a phishing email from crownpension@rosemoreinc.com targeting 150 employees. Proofpoint successfully blocked the emails between 4:30 PM and 6:00 PM CST. The following day, Thursday, September 16, 2024, at 9:30 AM, the SOC received an alert regarding a new ransomware variant attacking American and Canadian banks via phishing emails. A conference call was held at 11:00 AM involving the SOC, Threat Intelligence, server engineering, desktop services, the Bank’s help desk, and business technology teams. At 10:00 PM, the SOC was alerted by the Endpoint Detection and Response (EDR) tool about a suspicious file, "ATTN: Bank COVID-19 Response Update.docx," originating from a virtual desktop and a back-office computer. The EDR tool successfully blocked the file, and a case was opened by Junior Analyst Sandra Williams. On Friday, September 17, 2021, at 9:48 AM, the help desk reported employees receiving a ransomware message, leading to Junior Analyst Mike Simms opening a case. At 10:26 AM when users reported difficulty accessing files, the CIO's laptop displayed the ransomware message at 10:45 AM. The SOC manager declared an incident at 10:52 AM, leading to the formation of the Computer Incident Response Team (CSIRT). A series of tasks were assigned, including isolating infected computers, deleting phishing emails, identifying, and deleting the malicious

document, and stopping the encryption source. By 11:10 AM, emails from the attacker were deleted, and at 11:15 AM, a query was ran to identify and delete files associated with the attack. At 11:28 the CIO's laptop was determined to be the source of the encryption. Malware analysis results were received at 12:05 PM, and IOCs were added to the DNS blocklist. By 2:35 PM, forensic images of compromised laptops were completed. Server engineering finished restoring directories at 5:45 PM, and CSIRT closed the incident at 9:27 PM. On Monday, September 20, 2021, at 8:00 AM, compromised laptops were returned with a new image, followed by a debrief conference call at 11:00 AM. Incident Description: On September 17, 2021, Bellevue Bank and Trust faced a ransomware incident caused by a phishing attempt. The incident involved a malicious document, that led to employee disruptions due to encrypted files. The encryption occurred due to the CIO’s laptop being compromised. Once compromised, attackers were able to gain access to most directories and shared files due to his clearance. The CSIRT responded by isolating infected systems, deleting phishing emails, and restoring encrypted folders. Malware analysis led to DNS and firewall updates, addressing operational disruptions, financial impacts, and reputational concerns. Ongoing efforts focus on rebuilding trust and implementing long-term security measures. Events Timeline: Wednesday September 15, 2021 - At 6:00m pm security operation center (SOC) detected a phishing email sent to 150 employees from crownpension@rosemoreinc.com - Proofpoint blocked the emails between 4:30 pm – 6:00 pm CST. Thursday, September 16, 2021 - At 9:30 Security operation center received an alert from Financial Services Information Sharing and Analysis informing that American and Canadian banks are being attacked by phishing emails with a new ransomware variant. - At 11:00 AM SOC and Threat Intelligence held a conference call with server engineering, desktop services, the Bank’s help desk, and business technology to inform them. - At 10:00 PM EDR alerted security operation center of strange behavior of a file name ATTN: Bank COVID-19 Response Update.docx coming from a virtual desktop instance and a back-office computer - EDR tool detected it and blocked the files from executing. - Security operation center updated the Managed Security Service Provider. - Junior Analyst Sandra Williams opened a case stating the two alert logs as followed: Hostname IP Username Time vdi15a22.bbtrust.com 10.45.16.32 asmith 10:55 p.m. CST lincolnbackoffice15.bbtrust.com 10.105.127.134 Jgarcia 11:02 p.m. CST - Sandra obtained Word Document MD5 Hash: 5cb9cff7e12b6c1d8724ab8f8a10555e from ATTN: Bank COVID-19 Response Update. Friday September 17, 2021 - At 9:48, Junior Analys Mike Simms received a call from help desk staff Jordan Brands stating two employees have message on their screen stating, “All your files are encrypted!” - Employees were unable to access email, local documents, internet, and corporate intranet. - Mike Simms opens a case using the bank’s incident response platform and reviews the MSSP. - Mike finds that the MSSP scanned for the MD5 hash from the previous night, and no results came back. - MSSP detected an email containing the malicious document ATTN: Bank COVID-19 Response Update.docx as an attachment, which was sent to 10 bank addresses from phishing@uottawa.ca

- At 11:10 am, Sandra and Exchange administrator Kevin Silkwood delete emails from lisa.trudell@genworth.com from user’s mailboxes. - Sandra also deletes the email through the bank’s security program. - Below is a report of the breakdown of emails of who received, download, opened, and reported Username Received Downloaded Opened Reported Hostname skopsa@bbtrust.com X X X l55cm2.bbtrust.com mmichelson@bbtrust.com X X X mgr257.bbtrust.com csullivan@bbtrust.com X X X ciso1.bbtrust.com mmedows@bbtrust.com X N/A dmiller@bbtrust.com X X X l62t51.bbtrust.com ebrown@bbtrust.com X N/A srodriguez@bbtrust.com X X X l51g5.bbtrust.com mwilson@bbtrust.com X N/A sburke@bbtrust.com X N/A lhayden@bbtrust.com X N/A - At 11:15 am, Mike Simms ran a query using the bank’s Velociraptor endpoint visibility platform to search for the following name files and hashes ATTN: Bank COVID-19 Response Update.docx or ATTN: Updated Bank COVID-19 Response Update.docx or hashes on endpoints matching 5cb9cff7e12b6c1d8724ab8f8a10555e or dcc43f6872da3da500be2562cd0b2789. - At 11:25 am, Mike Simms hands the results to Junior Analyst Lee Mulling which he deletes the files found. Hostname IP Username Path l55cm2.bbtrust.com 10.103.14.47 skopsa C:\Users\skopsa\Documents mgr257.bbtrust.com 10.103.52.55 mmichelson C:\Users\\Documents cio1.bbtrust.com 10.104.25.6 csullivan C:\Users\csullivan\Desktop - At 11:28 am, Mike Simms finds that cio1.bbtrust.com at 10.104.25.6 has accessed many files on the following file shares. Which, was determined it was the CIOs laptop - Due to the CIOs laptop who had access to the bank’s file shares. It had given access to most all shares and directories on the file server, it led to the encryption. - At 11:45 am, An update was given to the computer incident response team manager (CSIRT), Bruce. - Mike and Don Sanders begin to restore directories/shares that were encrypted. @12:05 pm - At 12:05 pm, Josh Pierce reports his malware analysis providing a list of IOCs to be able to add to the DNS blocklist. The list consist of o Domains  yoursuperservice.com  zapored.com  arcnew.com  aerodx.com  avetoo..com  banolik.com  fangulf.com

 kuxizi.com  rosemoreinc.com  genworth.com  uottawa.com o email  crownpension@rosemoreinc.com  phishing@uottawa.ca  lisa.trudell@genworth.com o IP Addresses  142.234.157.164  108.52.12.100  104.244.154.112  102.195.100.204  192.111.149.58  205.221.186.24 o MD5 Hashes  5cb9cff7e12b6c1d8724ab8f8a10555e  dcc43f6872da3da500be2562cd0b2789  0615d36031bf3da7ec68c5f2d46d4c04  784c7b3c4131cf0f8ac3d38feb1f378b  0dedfa96043208167f8deb5cc652909a  06122d9d3f5fd498c75e1894684d7659  7e7023a81ca8f0d86211899ca85a5ba8 - At 1:36 pm, Mike Simms requested approval of an emergency change to be able to add the IOCs to the DNS blocklist and temporary IP address firewall block rules. - At 2:35 pm. Analyst Silvester Jones completes the forensic images of the three compromised laptops and hands the laptops to desktop services for reimaging. - At 5:45 pm, server engineering finishes restoring directories on the file share that were encrypted by the CIOs laptop. - At 9:27 pm, CSIRT closes incident WebEx and conference call. Monday September 20, 2021 - At 8:00 am, desktop services return compromised laptops with a new image to the CIO and two employees. - At 11:00 am, CSIRT holds a debrief conference call to discuss the following incident. o No new ransomware activity or phishing emails detected over the weekend. o The Word document took advantage of CVE-2021-4044 MSHTML zero day. o Patches for the MSHTML are available and were in the process of being deployed but KB5005573 had not been deployed to the three endpoints suffering the attack. o Patching had been disabled on the CIO laptop including EDR and Anti-virus updates. o A new vulnerability in Proofpoint allowed the email to evade detection. The vulnerability was fixed by Proofpoint over the weekend. o Files stored locally on the laptops were unrecoverable as the bank would not be paying a ransom for the files. Some work was lost but the loss was not devastating to the employees or bank.

After malware analysis, a list of IOCs was created to block and prevent any future incidents. The network can implement a DNS blocklist and IP address firewall rules to prevent malicious entities from connecting. After the incident the following domains, email, IP addresses were blocked. o Domains  yoursuperservice.com  zapored.com  arcnew.com  aerodx.com  avetoo..com  banolik.com  fangulf.com  kuxizi.com  rosemoreinc.com  genworth.com  uottawa.com o email  crownpension@rosemoreinc.com  phishing@uottawa.ca  lisa.trudell@genworth.com o IP Addresses  142.234.157.164  108.52.12.100  104.244.154.112  102.195.100.204  192.111.149.58  205.221.186.24 Forensic Analysis Overview: During the analysis, Josh Pierce identified a list of IOCs that included domains, email addresses, IP addresses, and MD5 hashes associated with malicious activities. IOCs were able to provide valuable insights into the attack and update the DNS blocklists and IP address firewall rules to prevent further communication with malicious entities. Forensic analysis also revealed that the CIO's laptop, identified as cio1.bbtrust.com IP address 10.104.25.6, had accessed numerous files on critical file shares, leading to the encryption of them. Analyst Sylvester Jones performed forensic imaging on the three compromised laptops, capturing a snapshot of the systems at the time of the incident. The forensic images were then handed over to desktop services for reimaging, ensuring a clean and secure state for the devices.

Containment Actions: Upon identifying the systems that were compromised, the CSIRT initiated the isolation process from the network. This included usernames skopsa, mmichelson, and csullivan to prevent further spread. Deletion of the phishing emails from lisa.trudell@genworth.com were removed from all emails to prevent further spread. The same was done with using the MD5 that was generated from the ATTN: Bank COVID-19 Response Update.docx and ATTN: Updated Bank COVID-19 Response Update.docx. After analyzing the malware, an IOCs was created to update the DNS blocklists and temporary IP address firewall block rules; to mitigate any risk of further infections. One last scan of the IOCs was done to guarantee no files were missed. The CSIRT team initiated the restoration of encrypted directories and shared files. This meant deleting compromised directories and using the backup systems to restore the data. Findings/Root Cause Analysis: On September 17, 2021, Proofpoint did not block phishing emails since the attacker was able to find a vulnerability to evade detection. The email contained a malicious document that reached bank users. The malicious document was opened by three users with one of the users being the CIO. Due to the CIO’s extensive access to critical file shares it led to widespread of folders to be encrypted. The ransomware took advantage of CVE-2021-4044, a MSHTML zero-day exploit. Patches were available but weren’t deployed. Remediation: Implemented the patch CVE-2021-4044, MSHTML zero-day exploit, and ensured it was deployed across all endpoints. The next step, we updated Proofpoint and tested it to ensure it would block similar ransomware in the future. Next, we reimaged the compromised laptops, to ensure the removal of all threats. A review of access control and permissions was done to verify what needs to be granted to employees and CIO. Implementing the principle of least privilege to keep critical file shares and directories protected. A review of EDR tools was done and updated to strengthen endpoint security. Final Recommendation: We will need to evaluate our user awareness training. Focus on enhancing it to raise awareness about phishing emails threats and allow our staff to be educated on detecting phishing emails. Implement a system on how phishing emails can be reported. Set procedures and policies for patch management, this will ensure patches are deployed in a timely manner and know vulnerabilities are being addressed. Include threat intelligence to be able to stay informed with new threats and identify vulnerabilities before they are exploited. Review all security tools to ensure they are up to date and continue to update. Further discuss the need of new tools such as SIEM to be able to assist security team to detect threats sooner. Definitions: Proofpoint- a cloud-based solution for threat protection, email security, and compliance. This allows us our company to ensure there are no email-based threats.