I was on my way to the office on Thursday morning when I received an urgent call from Gregori regarding an Incident Response (IR) situation – a potential client was just hacked and hired us to take care of the situation. After speaking to the client to understand exactly what happened, the rest of the team arrived and we split up into two teams – one in charge of the negotiations with the hacker, and the other in charge of investigation and mitigation.

My team and I discovered the hacker had bypassed the endpoint protection software by using Windows BitLocker and standard encryption software.

How? One of the VPN users didn’t have 2FA (two-factor authentication), and was using strong user connections and communicating between the FW (firewall) and AD (active directory) with LDAP (Lightweight Directory Access Protocol). Because he was using the strong user setting on unencrypted protocols, the hacker was able to run scripts to encrypt the all of the servers and workstations, and then delete all backups within the server.

Unfortunately, this human error cost the client big money since all of their backups were deleted and the server was encrypted.

This attack can be prevented by ensuring all servers, workstations, and cyber security products are up to date. Additionally, it’s important to collect server logins and workstation activities in one place, use only encrypted protocols for password transfers, and use 2FA when it comes to VPN access.

By Menachem Tauman, Co-Founder and Chairman, QMasters Group of Companies

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.