Present Blog-IT thought leadership in Canada

Don’t wait to protect your business from cyberattacks … learn from others

Written by Martin Perron | Dec 8, 2021 6:53:38 PM

IT Security is a risk to manage, yet we still see many companies incorrectly assessing the risks. They don’t believe their company could be a target. 

While it's easy to think that your SMB wouldn't be targeted, know that the sad reality is that yes, SMBs are at an even greater risk in terms of cybersecurity if they are not adequately protected. In fact, more than 58% of victims of cyber-attacks are small businesses. The reasoning behind this is simple. SMBs think they are not a target. Therefore, they usually do not have very strict cybersecurity measures. Because of this, they become easy prey for hackers. 

Present is on a mission to better protect all our clients.  We hate getting that call saying, “We’ve been hacked, what can we do.”  And so, we’re sharing the following story of a cyberattack at one of our clients to portray what can happen when you take a wait and see approach.

The consequences of a breach are terrible; shutdown of operations for several days or weeks, encryption of your data, theft of confidential data resold on the dark web, ransom payments, legal nightmares, reputational damage, etc. 

Some companies tend to rely on their cyber-insurance. But the truth is, insurers have been hit pretty badly in the last 2 years, and they are questioning their customers more and more about their security hygiene after an attack. If they find that their customer did not follow common best practices, they simply do not pay.

 

The Cyber Attack  

A few weeks ago, one of our managed services clients was attacked by the Evil Corp hackers. They were not one of our managed security clients, but they are a managed service client; therefore we were monitoring their systems to make sure they were operational and performing.  It was then that we noticed something was off and that they were the potential target of a ransomware attack. 

Thanks to the close vigilance of the Present services team, we saw warning signs of an attack and made the decision to shut down their Exchange server. Phishing emails had been sent internally, and they were literally one click away of losing their data to a ransomware.

This incident triggered a security audit, which showed that the Exchange server was effectively compromised. Shutting down the server prevented the attack from going further.

 

But the story does not end here ...

 

While doing the security audit, we also discovered another attack was underway by a different hacker group on another server. They had complete access to the infrastructure and were well established within the perimeter, ready to launch an attack. We could see the signs of a “proof of access”, which lead us to believe that the access rights were for sale on the dark web.

 

How the hackers got in

The client had someone in management working with a user account with administrative rights, despite our advice to them that this is not recommended. As well, he was using Anydesk (similar to teamviewer) on his workstation, which he left open. 
   
The hackers saw this opportunity and exploited this security flaw to take control of his machine, get administrator access, and then access servers where they installed their backdoor and other tools. From that point, they no longer needed anydesk nor the end-user account. They had their own complete access to the infrastructure.

 

The result

Unfortunately, the client lost access to their emails for a week as a result of this attack. Yet the result could have been much, much worse had the breach gone undetected.

They now understand the magnitude of their mistakes:

  1. Not having installed an MDR solution on all their endpoints
  2. Not having migrated their server which was no longer supported 
  3. Not having removed the user's administrative rights
  4. Having bypassed the VPN solution using Anydesk 

Moving forward 

They learnt the hard way that they should have managed their security risks better and were thankful for the help we provided them. Present was given the green light to implement the security solutions we had been strongly suggesting to them.

They now have our managed endpoint detection & response (MDR) solution on all their endpoints, that is fully monitored and managed by our SOC 24/7.

We also helped them implement new security policies around approved applications (no more Anydesk) as well as access policies restricting administrator accounts. Finally, we also migrated their old exchange server to O365 giving them a more secure mail solution.

When thinking about IT security and implementing cybersecurity measures, it’s important to heed the advice “Do not wait.”  There may be other IT projects you deem more important, or the moment is not convenient to implement cybersecurity security essentials, but the time is right. Take the steps now to avoid an inevitable breach.