OT: Security issue -- something weird/bad happened

[charliedid]

Wow horrible Keith.

Hope you get it squared away quickly with little or no damage.

[Keith A]

Thanks Ari. I have started enabling 2FA and have recommended that our staff do the same. Good idea to tell them to change their passwords, I've already done that myself.

[jkbrwn]

If you can, implement a minimum character limit also, if you don't already have one. This will hopefully stop people from just adding an exclamation mark to the end of their password, or something similar.

[mistermo]

Quote:

Originally Posted by Keith A

Thanks Ari. I have started enabling 2FA and have recommended that our staff do the same. Good idea to tell them to change their passwords, I've already done that myself.

A couple years ago, Outlook was quietly compromised so that every outgoing email copied a hidden and unknown account (later determined by MS to be Russian). As we used the email system to communicate threat mitigation and elimination, they were copied too and rode along. It wasn't until we hired outside people that they discovered the Outlook breach. I'm not IT, but my point is, don't assume they can't see what you're doing if you're online or using email. Go Old School. Telephone.

[Keith A]

The flood rate has slowed to a trickle and I've been through all 1,530 emails that came in since midnight, and the only real issue I found was the resetting of our Network Solutions password.

Now I will have to deal with all of the automated emails that I will be getting from these new accounts that have been created. What a pain in the

[Keith A]

Quote:

Originally Posted by kppolich

Resubmit your sitemap to Google Search Console so they can scan. We just ran into something similar with a client. Attacked by BitTorrent miners and they installed some junk in some necessary files for a few websites.

-KP

Done. Thanks for the tip.

[duff_duffy]

We had our credit card stolen recently. Received sign up notices for hundreds of online sites (free stuff like online magazines)...within the 100’s of messages were the real emails showing that we were buying things. Luckily picked up on it and cancelled card immediately. Just throwing it out there if your personal account gets swamped they maybe trying to “hide” other activities. I think that’s why they signed us up for so many!

[Keith A]

Thanks again for everyone's help. I've spent the entire day working on this issue. I feel pretty confident that they didn't gain access to any of our email accounts, nor did they make any changes to our domain settings.

I have added 2FA on a number of accounts and changed passwords as well. One thing that was interesting is that a company as big as Network Solutions doesn't have an easy way to do 2FA. You have to jump through some hoops to make this happen

[thegunner]

Quote:

Originally Posted by jkbrwn

If you can, implement a minimum character limit also, if you don't already have one. This will hopefully stop people from just adding an exclamation mark to the end of their password, or something similar.

this is one of the least effective password requirements in terms of security, length of password isn't really a true deterrent anymore.

[CKT88]

Quote:

Originally Posted by Latestart

You need to get to the leader of the business immediately.

What you are describing is a possible business-disabling hack. If you don't have internal skills, hire outside help.

If *secure* passwords are being misused, you likely have lost control over your environment and your customer and employee data is compromised, including payroll, bank and other mission critical information.

Time is your enemy...

This. I work in cyber security at a large firm with lots of security and can't recommend this enough.

[jkbrwn]

Quote:

Originally Posted by thegunner

this is one of the least effective password requirements in terms of security, length of password isn't really a true deterrent anymore.

Note how I said 'also' as in, on top of the previous MFA suggestion, implement a minimum password length so that people can not just add on a character or two to their potentially short, 8 character password.

Also, I don't toally agree with that. I have 50 character passwords on most site/systems. It's far more challenging to crack a 50 character password than it is an 8 character password.

But I also appreciate that password length is irrelevant if someone gets phished.

[Neil]

It’s a pain, but I’d recommend two factor/MFA for every single account, and then looking into how you can lock down accounts that can’t have it- meeting rooms etc. MSFT removed the maximum number of wrong passwords limit a while ago which was a green light for brute-forcing accounts that didn’t have MFA. Next issue is that O365 will bypass MFA for certain applications, which can then be used maliciously, but that’s an area where you are going to need to invest to bring in proper controls.

I’ve personally used Google Authenticator and Yubikey, both are good solutions, Google Authenticator is harder (for me!) to lose as its on my phone

In terms of a review, and as has been said- check the (potentially) compromised accounts for new forwarding rules, and check the out of band contact details for the account have not been changed- the phone number associated with the account is key, if they change that then they’ll be able to get whatever new password you set changed again.

We (cyber security company) often deal with bad-actors who have gained access and then established a persistent presence within companies, moving around within the org until they have mapped the structure and identified what they can exploit. Reviewing log data to see who is logging into what accounts (and from where, although that’s a pretty blunt tool that any competent attacker will be on top of) is useful, amongst a range of other approaches. If it’s not your role though it’s probably wise to get an external expert/s in to take a look.

Good luck with it.