December 14, 2020
Taiwanese electronics giant, Foxconn – parent company of Sharp Corp – has recently disclosed that they have been on the receiving end of a ransomware attack, with hackers demanding $34.7 million in bitcoin (1,804 Bitcoin) for the safe return of their data.
The Foxconn Breach
It is reported that the attack was carried out by a well-known ‘Cybergang’, DoppelPaymer. This attack consisted of encrypting around 1,200 servers, stealing 100GB files and the deletion of approximately 30TB of data back-up files.
The Taiwanese company confirmed that its internet connection returned in a statement to the Taiwan stock exchange; it is still unclear whether the ransom was paid.
Detection and visibility
Here at CyberOne we continue to monitor and hunt for relevant indicators of compromise, not only related to this form of attack, but any form of malicious activity that may be occurring. If there are parts of your network that have not been secured, we encourage you to close the gaps.
Visibility of your environment is key to identifying malicious activity. If you don’t know what’s running on your endpoints, how do you know what you’re securing?
Here at CyberOne, our Cyber Defence Centre is powered by SentinelOne, ensuring complete visibility on every endpoint. This process feeds into Microsoft Azure Sentinel to correlate our EDR information with other devices on the network, such as Firewalls and active directory logs – meaning we always have a full understanding of your environment. This collated data is then enriched with Threat Intelligence (TI) and Artificial Intelligence (AI), as well as known IOCs, to ensure that your environment is consistently secure. On top of this, our SOC team is constantly developing new detection techniques as well as proactive threat hunting, to search for things such as misconfigured devices, out of date software, and, of course, malicious processes.
We are committed to helping you secure your environment, so here are a few tips from our team:
- Deploy a SIEM and 24/7 SOC team to monitor and defend against breaches.
- Ensure that your environment is covered by your AV/EDR solution. It is important to keep all software up to date.
- If you need help conducting risk assessments of your estate, or even in securing unprotected devices, CyberOne can help you deploy SentinelOne in minutes, without any business downtime or restarts. This will give you a full insight into your endpoints.
- Search your environment for offensive security tool hashes. These tools may be on your network waiting to take control. Create a search on your environment for the following hashes to ensure you have not seen any of the OSTs!
Hashes
Magic Value | SHA256 |
0xf03d9386 | 51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a |
0xa68d9640 | d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f |
0x53e9cd92 | 0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc |
0x2fb0f795 | bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1 |
0x7900f253 | bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 |
0x8c64a981 | 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 |
Here at CyberOne we have created a SentinelOne hunting package that you can input into the visibility section of your SentinelOne console to see if any of the hashes have been observed on your endpoints.
TgtFileSha256 = “51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a” OR TgtFileSha256 = “d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f” or TgtFileSha256 = “0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc” or TgtFileSha256 = “bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4”
Listed Indicators of Compromise used by DoppelPaymer (IOCs)
File Extensions
.doppeled
We’re here to help, we’re here to secure your environments. We’re in this together.