fbpx

Foxconn Breach: What happened and how to protect your environment?

Taiwanese electronics giant, Foxconn – parent company of Sharp Corp – has recently disclosed that they have been on the receiving end of a ransomware attack, with hackers demanding $34.7 million in bitcoin (1,804 Bitcoin) for the safe return of their data. 

It is reported that the attack was carried out by a well-known ‘Cybergang’, DoppelPaymer. This attack consisted of encrypting around 1,200 servers, stealing 100GB files and the deletion of approximately 30TB of data back-up files. 

The Taiwanese company confirmed that its internet connection returned in a statement to the Taiwan stock exchange; it is still unclear whether the ransom was paid.

Detection and visibility 

Here at Comtact we continue to monitor and hunt for relevant indicators of compromise, not only related to this form of attack, but any form of malicious activity that may be occurring. If there are parts of your network that have not been secured, we encourage you to close the gaps. 

Visibility of your environment is key to identifying malicious activity. If you don’t know what’s running on your endpoints, how do you know what you’re securing?

Here at Comtact, our Cyber Defence Centre is powered by SentinelOne, ensuring complete visibility on every endpoint. This process feeds into Microsoft Azure Sentinel to correlate our EDR information with other devices on the network, such as Firewalls and active directory logs – meaning we always have a full understanding of your environment. This collated data is then enriched with Threat Intelligence (TI) and Artificial Intelligence (AI), as well as known IOCs, to ensure that your environment is consistently secure. On top of this, our SOC team is constantly developing new detection techniques as well as proactive threat hunting, to search for things such as misconfigured devices, out of date software, and, of course, malicious processes. 

We are committed to helping you secure your environment, so here are a few tips from our team:

  • Deploy a SIEM and 24/7 SOC team to monitor and defend against breaches.
  • Ensure that your environment is covered by your AV/EDR solution. It is important to keep all software up to date. 
  • If you need help conducting risk assessments of your estate, or even in securing unprotected devices, Comtact can help you deploy SentinelOne in minutes, without any business downtime or restarts. This will give you a full insight into your endpoints.
  • Search your environment for offensive security tool hashes. These tools may be on your network waiting to take control. Create a search on your environment for the following hashes to ensure you have not seen any of the OSTs!

 Hashes 

Magic Value SHA256
0xf03d938651d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a
0xa68d9640d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
0x53e9cd920f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc
0x2fb0f795bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1
0x7900f253bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
0x8c64a98170211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4

Here at Comtact we have created a SentinelOne hunting package that you can input into the visibility section of your SentinelOne console to see if any of the hashes have been observed on your endpoints.

TgtFileSha256 = “51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a” OR TgtFileSha256 = “d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f” or TgtFileSha256 = “0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc” or TgtFileSha256 = “bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4” or TgtFileSha256 = “bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4”

Listed Indicators of Compromise used by DoppelPaymer (IOCs)

File Extensions

.doppeled

We’re here to help, we’re here to secure your environments. We’re in this together.

Need help with 24/7 Security Monitoring?

Archives