SANS Institute is under a phishing attack

August 20, 2020

What happened?

SANS Institute conducted its regular email configuration and rules review on the 6th of August. During the review it identified a suspicious forwarding rule and immediately started the incident response process. The discovered rule sent 513 emails from an employee’s account to some external address. The stolen data contained email addresses, names, surnames, countries of living, positions, company names, working phone numbers, company verticals and addresses of people registered for SANS Digital Forensics & Incident Response (DFIR) Summit.

The security incident was a result of the phishing email, received by one of the organization’s employees. He did not manage to recognize the fake email, followed the fraudulent instructions, and compromised his corporate email account. Though there was no malware deployed to his endpoint, the attack used a malicious O365 add-in on the server side.

Fortunately, SANS managed to identify the phishing attack quickly. On the average it takes companies from 6 weeks to 6 months to recognize a security incident like this. They removed the malicious code and conducted a full risk assessment according to the European legislation. Most of the compromised data turned out to be public, and the potential damage to the clients was not significant.

How to protect your company?

Train your employees to recognize manipulation of their emotions and other signs of the phishing emails. First of all, it refers to non-IT teams inside any organization, including security and cyber security companies
Constantly monitor (or at least regularly check) security events and review the discovered anomalies to timely identify suspicious activity and early signs of cyber-attacks
If you detected some personal data compromised, act according to GDPR
If you do not know how to act fast and properly in case of a security incident, contact our Incident Response team any time during the day or even at night

Image by Zab Consulting

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_150416163_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
visitor_id909942-hash	10 years	No description

Cookie	Duration	Description
lpv909942	30 minutes	No description
visitor_id909942	10 years	No description

Maze ransomware knocks another tech giant down

Too expensive tea in Ritz featuring scammers

SANS Institute is under a phishing attack

What happened?

How to protect your company?

Related posts

Vehicle-SOC: protecting today’s autonomous cars

Cybersecurity during the hybrid work era

The first line of defence against security incidents