When it comes to mission-critical systems, public safety agencies can’t afford any disruptions or downtime from cyber threats like malware. The faster you can find indicators of compromise (IOCs), the sooner you can take steps to prevent attacks from spreading and limit potential damages.
Since it’s Halloween, we thought it was the perfect time to share a spine-tingling case in which Motorola Solutions’ Security Operations Center (SOC) team detected and shut down an early stage SocGholish attack. It also illustrates the capabilities of our Managed Detection and Response services.
What Is SocGholish?
When someone visits a compromised website, it redirects them to a page that looks like a legitimate website. It’s designed to trick them into downloading and installing a fake update. But it isn’t actually an update at all: it’s the first step in what can be a scary situation. Let’s take a deeper look now at how this attack happens.
How Does a SocGholish Attack Work?
This enables the attackers to establish and maintain a foothold, also referred to as persistence, to carry out reconnaissance activities. The second stage payload can include malware variants that give the threat actor or cyber criminals even more control over the victim’s device. Researchers have even seen SocGholish infections using Cobalt Strike to deliver ransomware.
How Did We Detect an Early-Stage SocGholish Attack?
Now let’s dive into a bit more technical detail of how we detected this particular attack before it could do any damage.
The Advanced Threats and Research team in our SOC investigated SocGholish in a sandbox environment to fully understand how it behaves, and how it infects victims. Armed with this information, the team then went threat hunting to look for indicators of it within customer networks.
The following is an example of a detection rule we created that can be used to help find this attack:
Fortunately, the SOC team spotted the attack before the network connection to the malicious domain could succeed. The infected device was immediately quarantined, and additional counter measures were applied to make sure the threat was contained.
What Is the Potential Impact to PSAPs and LMR?
Although the ActiveEye SOC and other security researchers haven’t necessarily seen any indications that SocGholish is targeting specific industries or organizations, we encourage our customers to stay diligent about prevention and detection. Other threat actors are reportedly using SocGholish as an initial access broker (IAB) to get access into networks, at times even compromising an organization’s own website to infect employees with a drive-by download mechanism to install malware.
According to Motorola Solutions’ 2021 Cyber Threats to Public Safety: Criminal Operations report, IABs were prolific in 2021, and IABs selling either verified or likely legitimate access into emergency service environments represented 16 percent of all attacks.
In addition, IABs may be more inclined to target public safety agencies because of the higher costs they can charge for critical infrastructure access. Public Safety Answering Points (PSAPs) provide an enticing target for cyber criminals who wish to interfere with 9-1-1 call handling and dispatch. Land Mobile Radio (LMR) systems, used by the overwhelming majority of public safety agencies across the country, have become more susceptible to cyber attacks through increased integration with other systems, as the Cybersecurity and Infrastructure Security Agency (CISA) noted in a recently published guide for LMR security.
For both of these mission-critical networks, it is vitally important to have the ability to detect and stop these increasingly sophisticated attacks. PSAPs and agencies should ensure they have 24/7 monitoring in place for both their mission-critical systems and IT networks to spot any abnormal activities. A comprehensive cyber incident response and disaster recovery plan that’s regularly tested is another must-have in today’s environment.
You don’t have to be a clairvoyant to understand that SocGholish is no treat for IT and security teams. The dangers it presents are very real, as malware infections can lead to disabled devices, data breaches, disruptions to communications and even downtime — all of which can cost precious minutes in the moments that matter.
For agencies and organizations without the staff to support 24/7 cybersecurity operations, or to research attacks in depth, a Managed Detection and Response (MDR) service provider like Motorola Solutions can help you better defend against SocGholish and similar threats. Every day, our Advanced Threats and Research team monitors dozens of threat intelligence sources, as well as millions of security alerts from a wide range of public safety and enterprise customers, to identify new attack techniques and emerging risks.
While there’s no magic spell to avoid cyber threats, engaging a 24/7 SOC with the experience and skillset to monitor and manage sophisticated Endpoint Detection and Response (EDR) tools and detect and shut them down on your behalf can make all the difference when it comes to fighting the evils that lurk when cyber criminals attack your organization.
Contact us today to find out how our ActiveEye security management platform and 24/7 SOC can help you defend against threats.