Additional facts

Two weeks ago, an employee’s workstation began alerting the user, Teri Gussel (tgussel) of suspicious PowerShell activity.
The alert prompted the user to inform L4L’s Cyber Incident Response Department (CIRD). The CIRD began investigating the
messages and also worked with Teri to reset her password. However, later in the day, the workstation virus protection
software alerted the CIRD that a malware program had been executed on Teri’s workstation. L4L immediately contracted with
Cyber Busters, a reputable and highly qualified information security firm, to help the entity investigate and respond to the
suspected intrusion. Simultaneously, L4L began containment and hardening efforts to lockdown its environment.

Cyber Buster’s scope of work, as agreed with L4L legal counsel, included the following:
• Determine the scope and timeline of the intrusion
• Determine whether the intrusion was ongoing and the extent of attacker activity within the L4L environment
• Identify the user IDs compromised as a result of the attacker activity
• Determine the type and extent of the data compromised
• Determine whether any malware or ransomware was left behind
• Provide recommendations to secure the environment and prevent future incidents of this type

Through their investigation, Cyber Busters identified that about two months ago, an employee used a company
workstation to access corporate email and clicked a compromised link that allowed a hacker to access the company’s
IT environment.

Highlights of the Cyber Busters investigation and results include the following:
• The employee ID “sfallon”, assigned to Scott Fallon, SOX Program Director, received and downloaded the
malicious document from his corporate email accessed using the company’s laptop.
• The email included a decoy PDF that contained an embedded beacon.dll. Upon opening the PDF file, the
PowerShell command extracted and executed the Cobalt Strike beacon backdoor.
• Three days later, the attacker deployed additional backdoor systems throughout the L4L environment and
continued to do so over two weeks, prior to detection.
• About three weeks after the first intrusion, the attacker sent additional phishing emails to other L4L employees,
two of whom clicked on the malicious links.
• Over the next few weeks, the attacker continued to deploy additional backdoors and moved between multiple
workstations and servers (endpoints) using certain user accounts.
• In total, Cyber Busters identified 9 backdoors and 7 user accounts compromised as a result of the incident.
• Additionally, Cyber Busters ”contained” 34 endpoints (workstations and servers), using Cyber Busters
Endpoint Security based on indicators of compromise that identified attacker activity.
• The incident response and remediation included the following “containment and hardening” activities:
• Disabling or resetting the accounts used by the hacker, terminating attacker sessions, “containing” systems
and preventing cleartext passwords from being stored in memory and implementing network blocks.
• Performing an enterprise-wide password reset, including service accounts.
• Authorizing Cyber Busters to “contain” 34 endpoints based on findings or alerts and deploy their Threat
Protection software to bolster phishing defenses.
• Deploying more cybersecurity-related training to those employees who clicked on the phishing links.
 • The investigation concluded that L4L was able to “contain” the intrusion in less than 10 days of identifying it
• Key remediation activities are still on-going and will be monitored and reported to the Board of Directors on an
on-going basis.
Because the investigation completed by Cyber Busters concluded that no company or customer data was lost nor any
malicious code left behind, management has decided not to disclose information about the breach outside the Cyber
Incident Response Department (CIRD), C-suite and the legal team. Not even the Internal Audit and IT departments have
been informed of the intrusion.

L4L’s analysis of compromised user accounts

Management identified the accounts that were used by the attacker and determined whether they could have been
used to access systems and data relevant to the financial statements. L4L provided this analysis to EY. Cyber
Busters investigated how the compromised user accounts were used and concluded that the nature of the hacker
activity did not indicate any malicious, harmful activity other than installing backdoors.

See table below:

L4L's analysis
Ability to access
applications/servers directly
Account
Account Name User Role
Owner Role relevant to the Company’s
Role
financial statements or financial
reporting

L4L\tgussel User IT Business Analyst No

L4L\msclark User Manufacturing Systems Manager No

Technology Infrastructure Operations- privileged account. A password vault system

L4L\gxtoni-alt Admin No
stores the password to this account.
Admin (privileged) account. A password vault system stores the password to this
L4L\jmacaleaer-alt Admin No
account.

L4L\msteele User Recruiting Coordinator No

L4L\sfallon User SOX Director No

L4L\pimbra User OmniChannel Cust Svc Rep No

Glossary

Term Definition
Backdoor A backdoor refers to any method of circumventing existing security controls, authentication,
or encryption methods used to secure a system.

Cobalt Strike Cobalt Strike is a penetration-testing tool. Malicious actors have used it for years to deploy
“Listeners” on victim machines. Cobalt Strike is used at many levels of intrusion to solve
problems such as, post-intrusion exploitation, beaconing for command and control (C2s),
stealth and reconnaissance.
Beacon.dll Beacon.dll is the core functionality of Cobalt Strike and is the code that is used to control an
infected host.
Containment Once an incident is detected or identified, containing it is a top priority. The main purpose of
containment is to limit the damage and prevent further damage from occurring. The earlier
incidents are detected, the sooner they can be contained to minimize damage.

Endpoints An endpoint is a remote computing device that communicates with a network to which it is
connected. Examples of endpoints include:
• • Desktops
• • Laptops
• Smartphones
• • Tablets
• • Servers
• Workstations
• • Internet-of-things (IoT) devices
• Endpoints represent key vulnerable points of entry for cybercriminals. Endpoints are where
• attackers execute code and exploit vulnerabilities, as well as where there are assets to be
encrypted, exfiltrated or leveraged.

Hardening A collection of tools, techniques, and best practices to reduce vulnerability in technology
applications, systems, infrastructure, firmware, and other areas. The goal of system hardening
is to reduce security risk by eliminating potential attack vectors and condensing the system's
attack surface.

Incident response The process by which an organization handles a data breach or cyber attack, including the way
the organization manages the consequences of the attack or breach (the “incident”).
Ultimately, the goal is to effectively manage the incident so that the damage is limited and
both recovery time and costs, as well as collateral damage such as brand reputation, are
minimized.

PowerShell PowerShell is a powerful command-line interface that can be leveraged to gain access to a
machine’s inner core, including access to Windows Application Programming Interfaces (APIs).
PowerShell is a useful tool for administrators to automate tedious tasks, but malicious people
can also take advantage of its abilities. Hackers can exploit PowerShell to discover critical
domain information and run malicious executables in memory (also known as fileless malware).
Since PowerShell is installed by default in every system from Windows 7 to Windows Server
2019, it’s a favorite weapon for many attackers.

Vectors Vector, or attack vector, is a path or means by which an attacker can gain unauthorized access
to a computer or network to cause a malicious outcome. Attack vectors allow attackers to
exploit system vulnerabilities, install different types of malware and launch cyber attacks.