Work getting hacked?

[anything I don't mind]

Anyone else work find that their work is constantly under attack from phishing and even targeted attacks? I work for law firms and it is constant. I think the problem is far worse than anyone is letting on and all these companies getting hacked they don't advertise that because they lose business. So its all kept secret.

To be honest it is getting ridiculous. We have several layers of protection and they still manage to get through and these days it seems when they get through they realy do a number and root the whole network. It is a nightmare, I realy don't think IT is paid enough for that. It just seems to me like they are losing the battle. We even had a phone call of some guy trying to social engineer remote access.

We have obvious firewall, open dns filtering, sophos web protection and end point, mimecast email security and url filtering. All the clients are locked down. But yet we still have trojans getting through, from the web or email. Webmail is a big attack vector as well.

 

[Burnsy2023]

Education of users is your best defence against email based malware and social engineering. The latter is where education is the only solution.

 

[Defiant306]

Meh, come back when your users manage to Cryptolocker their servers. Boomin thing sucks!

 

[Quartz]

Anyone else work find that their work is constantly under attack from phishing and even targeted attacks?

When I worked at Messybeast that was certainly the case. Indeed, at one time I had a firewall at home that logged all the attempts to hack my home network.

Ultimately it comes down to user education. Just don't click that link.

 

[anything I don't mind]

Meh, come back when your users manage to Cryptolocker their servers. Boomin thing sucks!

This is exactly the sort of thing I am talking about. I just inherited a site that was hit with cryptolocker. It was removed and restored from backup ok but I still think they are in the network. I am probably paranoid but I can't see them just getting removed by a virus scan these days.

Then I had to deal with an attack few months ago where another company that the company i work for does seminars with was hacked. They apparently sent out a mass mailer using their mailer system with a macro malware word doc to all the client list. It was very well crafted email and got through on all the whitelists. Now we block macro but still a big attack. I bet they got about 1000 botnet from that. It managed to infected our network and the finance director even forwarded the email to the whole firm with the attachment warning them not to open it. crazy.

 

[nutcase]

We're seeing it a lot. Fortunately people are getting better at spotting things - yesterday a director flagged an email saying his iphone was going to be locked becuase he hadn't responded to xyz. He thought, hang on, my iphone is my personal phone not linked to my work address.

Good boy

 

[XeNoN89]

I work in IT and yeh it's pretty normal. My last company was always getting attacks from China and Russia but they never actually got in

 

[scorza]

Remember Nortel?

 

[Haggisman]

I would hazard a guess that it's relatively random, and whilst targeted against businesses (they have more to lose, are more likely to have funds available and therefore are more likely to pay up), not necessarily targeted against your particular company (unless you happen to be a multinational mega-corp, or have seriously ****** someone off )

But yes, having previously worked as an infrastructure manager, it's definitely a constant thing!

 

[neil_g]

Education of users is your best defence against email based malware and social engineering. The latter is where education is the only solution.

yup. the amount of people that use their work address to sign up to pointless rubbish..

 

[Raumarik]

Try working in the NHS etc. They get specifically targeted daily.

 

[LizardKing]

Education is by far the best form of defence and probably the cheapest.

However we withhold any executables and zip files which can be a pain when there legitimate but more often than not its a virus or the current trend of office docs with embedded macro's.

Some of the targeted ones are pretty damn clever mind, we've had emails come in with our own headers and the only thing that stuck out was it being an old one with a previous address.

 

[Quartz]

If you do business with China or compete with a Chinese company, you can expect to be targeted.

 

[JoeF1]

We swapped up our FTP solutions with a GlobalScape product. That thing is constantly being slammed with attempts from China. Must be bots but our malicious settings are so high!

 

[LOAM]

Its pretty much endless 24/7 these days. Our email is hosted remotely so much of it never actually gets to outlook and there is only the two of us in the office but even then reviewing the junkmail folder shows hundreds added daily.

I've lost count of how many undetected varients of Win32/Kryptik.DQEG trojan I have submitted to ESET who, it has to be said are really good at updating signatures.

 

[Ev0]

It was removed and restored from backup ok but I still think they are in the network.

And that's the thing with APT type attacks, it's very hard to know what's actually been going on unless you've got the tools in place to detect and investigate.

Have you got any sort of SIEM solution on the network to see what's going on from a behaviour point of view?

Even something simple as monitoring outbound traffic, see where stuff is going or potentially calling home.

As has been said, education is one of the most effective tools in the box, but we all know it can be frustratingly hard to get people to listen and think!

I've lost count of how many undetected varients of Win32/Kryptik.DQEG trojan I have submitted to ESET who, it has to be said are really good at updating signatures.

That's one of the problems if you're just using signature based technology, you have to have seen the attack variant before you can start to protect against it. Which is no good the first time it hits

 

[KIA]

We have obvious firewall, open dns filtering, sophos web protection and end point, mimecast email security and url filtering. All the clients are locked down. But yet we still have trojans getting through, from the web or email.

App locker?

 

[anything I don't mind]

And that's the thing with APT type attacks, it's very hard to know what's actually been going on unless you've got the tools in place to detect and investigate.

Have you got any sort of SIEM solution on the network to see what's going on from a behaviour point of view?

Even something simple as monitoring outbound traffic, see where stuff is going or potentially calling home.

As has been said, education is one of the most effective tools in the box, but we all know it can be frustratingly hard to get people to listen and think!



That's one of the problems if you're just using signature based technology, you have to have seen the attack variant before you can start to protect against it. Which is no good the first time it hits

We have a managed firewall which makes monitoring traffic even more difficult. I could request that the managed firewall people monitor traffic and look for any international connections or connections out of hours.

I know what you mean though, that is realy the only way to see if there is still an underlying infection that is keeping quiet and slowly getting root on the network.

The site that that was hit by cryptolocker has a major problem with one DC it almost looks like someone has been attacking it from internal. The svchost was running at 100% cpu usage as a result of windows update. The DC was completely unpatched and it would probably be the first thing that an attacker would go for, the dc. Also noticed corrupted group policy but only on the one dc. I moved the roles and will demote the dc next week.

App locker?

Not sure what you mean by app locker?

 

[russell664]

Bit locker you mean maybe?

 

[Defiant306]

We have a managed firewall which makes monitoring traffic even more difficult. I could request that the managed firewall people monitor traffic and look for any international connections or connections out of hours.

I know what you mean though, that is realy the only way to see if there is still an underlying infection that is keeping quiet and slowly getting root on the network.

The site that that was hit by cryptolocker has a major problem with one DC it almost looks like someone has been attacking it from internal. The svchost was running at 100% cpu usage as a result of windows update. The DC was completely unpatched and it would probably be the first thing that an attacker would go for, the dc. Also noticed corrupted group policy but only on the one dc. I moved the roles and will demote the dc next week.?

Yeah we had a single vector for the infection, but what we noticed is that the latest versions have started scanning site IP ranges looking for other clients and servers.

It then started looking for more sites to infect, the damn thing is dangerous on a large network if you don't find it soon after infection.

It only managed an hour before we were on 'like a car bonnet' but by that time it had managed to encrypt files in areas of 3 servers.