The DFIR Report published an article detailing a cybersecurity attack that occurred in late February 2023. In this incident, threat actors used Microsoft OneNote files to gain initial access and deliver IcedID malware. The attackers then used FileZilla to exfiltrate data before deploying Nokoyawa ransomware. This article will guide you through planning and executing a tabletop simulation based on this real-world attack. Read the full report here: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
Who Is This For?
- Collaboration software like Microsoft OneNote or similar tools
- File transfer applications such as FileZilla or other FTP clients
- Systems vulnerable to IcedID malware or ransomware attacks
Key roles that should participate in this exercise include:
- IT security teams
- Incident response personnel
- Risk management and compliance officers
- Business continuity and disaster recovery planners
Simulation Start Points
Choosing an engaging starting point is crucial for an effective tabletop exercise. Here are some ideas:
- A user reports receiving a suspicious OneNote file from an unknown sender, claiming to contain important meeting notes.
- IT notices unusual traffic patterns between internal systems and an external FTP server.
- Security tools detect the presence of IcedID malware on several endpoints.
- Encrypted files with a ".nokoyawa" extension are discovered on critical servers, indicating a potential ransomware attack.
Tabletop Simulation Phases
Using the NIST Incident Response framework, the simulation should cover the following phases:
- Detection and Analysis
- Identify the source and scope of the OneNote-based attack
- Analyze malware samples and network logs to determine the extent of the compromise
- Containment
- Isolate infected systems to prevent further spread of IcedID and Nokoyawa ransomware
- Block communication with known malicious FTP servers and C&C infrastructure
- Eradication
- Remove malware from affected systems and restore clean backups
- Patch vulnerabilities exploited by the attackers
- Recovery
- Bring systems back online and monitor for any signs of re-infection
- Communicate with stakeholders about the incident and recovery efforts
- Post-Incident Activity
- Conduct a thorough review of the incident response process
- Update security policies and procedures based on lessons learned
Inject Ideas
To make the simulation more challenging and realistic, consider adding:
- The attacker contacting the organization, demanding a ransom payment to decrypt files and prevent data leakage.
- A critical system experiences a hardware failure during the incident, complicating recovery efforts.
- Media outlets reporting on the attack, putting pressure on the organization to respond quickly and transparently.
- A key incident response team member becomes unavailable due to a personal emergency.
MITRE ATT&CK Techniques
The following MITRE ATT&CK techniques may become relevant to this attack:
- T1566.001 - Phishing: Spearphishing Attachment - The attackers used a malicious OneNote file to gain initial access.
- T1041 - Exfiltration Over C2 Channel - FileZilla was used to exfiltrate data to the attackers' servers.
- T1486 - Data Encrypted for Impact - Nokoyawa ransomware was deployed to encrypt files and disrupt operations.
About ChaosTrack
Running effective tabletop exercises can be time-consuming and costly. ChaosTrack simplifies the process, allowing you to conduct simulations in 85% less time and at 90% lower costs. By regularly practicing incident response through tabletop exercises, your organization can improve its readiness to detect, contain, and recover from real-world attacks like the one described in this article. Visit chaostrack.com to learn more.