Home / Blog / General / Foxconn Breach: What Happened and How to Protect Your Environment?

December 14, 2020

Taiwanese electronics giant, Foxconn – parent company of Sharp Corp – has recently disclosed that they have been on the receiving end of a ransomware attack, with hackers demanding $34.7 million in bitcoin (1,804 Bitcoin) for the safe return of their data.

The Foxconn Breach

It is reported that the attack was carried out by a well-known ‘Cybergang’, DoppelPaymer. This attack consisted of encrypting around 1,200 servers, stealing 100GB files and the deletion of approximately 30TB of data back-up files.

The Taiwanese company confirmed that its internet connection returned in a statement to the Taiwan stock exchange; it is still unclear whether the ransom was paid.

Detection and visibility 

Here at CyberOne we continue to monitor and hunt for relevant indicators of compromise, not only related to this form of attack, but any form of malicious activity that may be occurring. If there are parts of your network that have not been secured, we encourage you to close the gaps. 

Visibility of your environment is key to identifying malicious activity. If you don’t know what’s running on your endpoints, how do you know what you’re securing?

Here at CyberOne, our Cyber Defence Centre is powered by SentinelOne, ensuring complete visibility on every endpoint. This process feeds into Microsoft Azure Sentinel to correlate our EDR information with other devices on the network, such as Firewalls and active directory logs – meaning we always have a full understanding of your environment. This collated data is then enriched with Threat Intelligence (TI) and Artificial Intelligence (AI), as well as known IOCs, to ensure that your environment is consistently secure. On top of this, our SOC team is constantly developing new detection techniques as well as proactive threat hunting, to search for things such as misconfigured devices, out of date software, and, of course, malicious processes. 

We are committed to helping you secure your environment, so here are a few tips from our team:

  • Deploy a SIEM and 24/7 SOC team to monitor and defend against breaches.
  • Ensure that your environment is covered by your AV/EDR solution. It is important to keep all software up to date. 
  • If you need help conducting risk assessments of your estate, or even in securing unprotected devices, CyberOne can help you deploy SentinelOne in minutes, without any business downtime or restarts. This will give you a full insight into your endpoints.
  • Search your environment for offensive security tool hashes. These tools may be on your network waiting to take control. Create a search on your environment for the following hashes to ensure you have not seen any of the OSTs!

Hashes 

Magic Value  SHA256
0xf03d9386 51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a
0xa68d9640 d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
0x53e9cd92 0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc
0x2fb0f795 bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1
0x7900f253 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
0x8c64a981 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4

Here at CyberOne we have created a SentinelOne hunting package that you can input into the visibility section of your SentinelOne console to see if any of the hashes have been observed on your endpoints.

TgtFileSha256 = “51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a” OR TgtFileSha256 = “d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f” or TgtFileSha256 = “0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc” or TgtFileSha256 = “bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4”

Listed Indicators of Compromise used by DoppelPaymer (IOCs)

File Extensions

.doppeled

We’re here to help, we’re here to secure your environments. We’re in this together.