It's a blistering hot day in Bengaluru, India, and Sandeep is thankful for being in an air-conditioned building. In 2013, CorQue Boards Inc hired him as an engineer right out of university, and now he's one of the lead engineers of his group, building circuit boards that are distributed globally. The company provided him with the usual desk with dual monitors that hook into his laptop's dock so that he can design and improve the product with his team. Other than the IT guy giving him the laptop and phone, there was little to no interaction with the IT department.
Every year he was reminded by HR in an email that he needed to complete his annual cyber risk training. This is so annoying thought Sandeep as he started to look at the portal where he was to log in.
Meanwhile, in Warsaw, Poland, Malgorzata (aka Gosia) was working on the next CorQue Boards information security newsletter for her assigned region, APAC. She was on a team where each team member worked on building the training and information security news for their regions as well. Their job was to provide the region's IT divisions up to date information on threats that may impact their region, country, or specific business unit. Because she wanted to do her job well, Gosia went to other sources of open source intelligence just in case the threat feeds missed anything.
Hmm...APT 1.8 is at it again with another ransomware campaign she thinks to herself after reading a tweet. APT 1.8 was well known for their use of social engineering to get users to download antivirus software by posing as the organizational IT helpdesk." Eh, I already posted a newsletter about these guys" Gosia said to herself "I'll have to write about something more exciting..."
Sandeep was plugging away at his training...
"Don't click on links"
"If you see something, say something"
"You are reminded that..."
"This has to be the worst...every year, 45 minutes of 'interactive' training and a quiz. To top it off, if you fail the quiz, you have to do it again....from the beginning!" Sandeep sighed...*ding
Oh, what now? Sandeep took a deep breath and looked into his inbox.
FROM: [email protected]
TO: <Undisclosed Recipients>
SUBJ: IT HELPDESK- "ANTIVIRUS UPDATE"
IMPORTANCE: HIGH
Noticing that the FROM field was not @corque.com Sandeep was a little puzzled. He had remembered from his training to look at where an email was coming from and make sure that if it was an organizational email, that the domain was correct. Curiously, Sandeep opened up the email and read:
Dear User,
As you know, ransomware is on the rise globally and our IT team is working hard to ensure that our data is protected at all times. In addition to our outstanding monitoring capabilities to detect these types of malware, we have purchased additional protection through "SeaQuenchAle" a well known cyber security company. To help facilitate this additional protection, please follow this link, download, and install the application as soon as time permits. If not done within 24 hours, this application will be pushed to your system, a forced restart will commence, and you will lose any data that is not saved.
We appreciate your cooperation in this matter.
-IT Helpdesk
Learning about hovering his mouse cursor over the link from his training to preview the URL, Sandeep found that the link did not go to a sequenceable domain at all. Really weird, he thought. Knowing that this may or may not be real, Sandeep decided to call the IT helpdesk for support.
"Hey, I got this email from you guys about installing some additional protection app or something...it doesn't look right"
"Oh yeah?" Jidnesh said, "You and everyone else got it. Send it over to the incident response email and they'll analyze it. I'll open up a ticket so we can follow up. Seems like something is going on..."
Will Sandeep and his IT helpdesk team figure out what is going on?
Will CorQue get compromised?
How will CorQue Boards handle the situation?
To be continued...