Jump to content

Important Security Incident Alert - February 2024


Recommended Posts

Christopher

 

The New Team of Weapons and Tactics would like to alert its members and visitors to a recent security incident that occurred on the premise of our networks.

 

On February 11, 2024, the Department of Information Technology at the New Team of Weapons and Tactics discovered that one of our servers had been compromised with a ransomware attack. The attack – known as LockBit – was found to be strategically embedded in an installer that one of our technicians utilized to perform regular maintenance on the server in question. The ransomware acted as a “time bomb”, not immediately acting upon getting installed, and instead was found to initiate its attack about a week later. Unfortunately, this ransomware was of a more “advanced variety” – similar to the infamous WannaCry ransomware from 2017 that many businesses and organizations also suffered – and not only infected the compromised server that it started on, but was able to migrate itself to other adjacent servers over the network.

 

This malware did not waste once it commenced its attack, and was able to spread to infect a total of five (5) of our server systems out of the eighteen (18) server systems and machines that we had operational. Each infected system had the majority of its file contents encrypted and locked, and the individuals responsible for the attack demanded payment for the return of our property.

 

Although we wish we were able to catch it before, one of our senior engineers was able to spot the attack due to the abnormal traffic and was able to effectively disconnect and shutdown the rest of our network before any more systems could have a chance to be infected.

 

Thanks to our rigorous security and backup practices, we had backups of our data stored securely off-site which we were able to utilize to restore our systems back to full operation.

 

As part of our investigation into this security incident, we performed a procedural RCA (root cause analysis) and were able to determine the source machine that was initially infected and the source installer that had the ransomware embedded in its executable that initially went undetected in our initial scans due to the nature of imperfections in general file security analysis.

 

We were able to determine with absolute certainty that no passwords or other account information, such as emails, usernames (or the like) were compromised. These pieces of information are stored in separate disjoint segments of our network, with additional security measures, specifically for increased security and protection from incidents just like this one.

 

As part of our response efforts, we have restructured our network to better protect all of our servers and systems and have made changes in our internal SOPs (standard operating procedures) to better prevent and protect from these sorts of incidents, and have increased the security and monitoring efforts on our network.

 

We do sincerely apologize for any inconvenience or concern this incident may have caused, and appreciate everyone’s understanding and cooperation as we worked to resolve this matter.

 

Yours truly,

The New Team of Weapons and Tactics

February2024_SecurityIncident.pdf

Link to post
Share on other sites
  • Christopher unlocked this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using our website, you agree to our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.