Incident Response Summary

Posted by nmall002 on

Incident Report Summary – IMSI Vendor Compromise

This report reviews events associated the ransomware attack against Tower third-party vendor IMSI that holds sensitive information of several members and employees of Tower, specifically 70,000 credit cards. IMSI’s cloud provider, IMS Cloud, was subject to a ransomware attack. There is no evidence that data was ex-filtrated from the IMS Cloud environment, including IMSI and other IMS Cloud customers. The attack did suspend Tower’s use of IMSI “opt-in” services for approximately two weeks.

Tower’s Incident Response and Handling Plan defines five phases to respond and handle security incidents (addressed sequentially here):

1)   Identification (Discovery): On Tuesday, July 11, 2023, at 11:21 AM Hannah Abraham (IMSI Customer Relations Manager) informed Carol Brown (Tower Manager of Debit Card Operations) of a security incident within IMSI. Brown subsequently at 11:28 AM informed Alvin Smith (SVP of Member Services), who at 11:36 AM alerted Executive Leadership and Senior Management including VP/Director and ISO Phil Mellinger.

IMS Cloud (Host Provider of IMSI) discovered a ransomware note within their environment on July 9th, 2023. The earliest evidence of compromise is unauthorized access to an unused IMS Cloud server with legitimate credentials from an unknown IP address. IMS concluded that the compromise potentially started as early as July 2nd, 2023, when service issues were first reported to IMS Cloud. IMSI experienced multiple service outages on July 7th, 2023.

2)   Containment: IMSI initiated their incident response plan notifying cyber insurance, engaging breach counsel and incident response team, informing the FBI, while also issuing statements to all IMSI customers including Richard Stafford (Tower President & CEO). Explaining, While the investigation into this matter is ongoing, at this time, there is no evidence that anyone’s personal data has been misused in anyway.” To substantiate that, IMS Cloud later documented, “all consumer related data was segmented by IMS Cloud and secured in a multi-tenant fashion from other client and client environments.”

IMSI shared Security Incident Review Slides to keep all customers informed of what was affected, notable occurrences leading up to July 9th, details of their incident response plan, current impact to their systems, and steps to recovery.

       Progent confirms, “Backups were stored in an immutable Rubrik’s cluster by IMS Cloud and were not part of the security incident.” Additionally, “there is no evidence of unauthorized access to the clusters at any time. IMSI confirms that all data was password protected and some Personal Identifiable Information is encrypted at rest

3)   Eradicate: The deployment of Sentinel 1 on IMSI individual endpoints identified and blocked malicious activity and malware including Trojans, ransomware, lateral movement, viruses, malicious Microsoft Office documents, rootkits, backdoors, and hack tools.

       Progent, contracted by IMS Cloud to review and certify their internal infrastructure has concluded that the Sentinel One Agent killed and quarantined all identified alerts.

Additionally, Progent turned down all VPN connections, IPSEC tunnels, and outside interfaces on all devices and completed a review/analysis of additional network infrastructure targeting the following:

  1. All object tables
  2. All policies
  3. All NAT
  4. All IPSEC and Tunnel connections
  5. All VPN connections
  6. All routes
  7. All configurations
  8. All user accounts
  9. All access policies and rules

4)   Recovery: IMSI COMPLETED the following steps toward recovery and remediation:

  1. Identified and isolated all devices containing malware.
  2. Enhanced firewall rules to restrict inbound/outbound traffic.
  3. Installed Sentinel 1 End Point Detection and Response (EDR).
  4. Applied 24/7 monitoring of all endpoints using EDR.
  5. Applied 24/7 SOC monitoring of the network using SIEM.
  6. Rebuilt all infected infrastructure.
  7. Certified and cleansed all files moved to One Drive.
  8. Reset all administrative credentials.
  9. Reset all user credentials to IMSI network.
  10. Reset all user credentials.

IMSI is actively reviewing the following areas to allow full recovery from the incident:

  1. Cleaning and restoring all servers and workstations
  2. Enable multi-factor authentication on all platforms.
  3. Enable multi-factor authentication on VPN, and Email – Office 365 Environment.

    Cloud service provider’s infrastructure is now operational and validated security. Several (not all) IMSI servers have been restored and security has been validated by Progent. After that is completed, IMSI will reconfigure and validate systems as needed. IMSI has also taken additional steps so that going forward there are even more layers of protection of its consumer data.

    5) Follow-up (Lessons Learned): Vetting Vendor’s Security Management:

    1. MFA must be configured on all accounts/platforms.

    Leave a Reply

    Your email address will not be published. Required fields are marked *