DocuSign Breach Leads to Targeted Email Malware Campaign

This week, the Alert Logic ActiveIntelligence team reviews how a Breach at DocuSign Led to Targeted Email Malware Campaign and how WanaCry Ransomware Attacks Over 200,000 Computers in 150 Countries.

Breach

Breach at DocuSign Led to Targeted Email Malware Campaign

DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign. 

References: DocuSign Data Breach Led to Targeted Email Malware Campaign | DocuSign Admits Hackers Accessed its Customer Email Database, Sent Out Malware | DocuSign Admits Data Breach That Led to Recent Spam

Mitigation Strategies:

  • Web application firewall management and advanced anomaly detection. 
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code.
  • An encryption tool which acts as a lock for the database.

Malware

WanaCry Ransomware Attacks Over 200,000 Computers in 150 Countries

On May 12, a ransomware attack swept the globe by force, infecting 230,000 computers across more than 150 countries. The ransomware, called WannaCry, targeted businesses running outdated Windows machines. It leveraged an exploit -- a tool designed to take advantage of a security hole -- leaked in a batch of hacking tools believed to belong to the NSA.

Although Microsoft released a patch to fix the exploit in March, which could have easily prevented the attack, many major firms like healthcare and telecom organizations are running on old, outdated technology that no longer receives software updates.

References: Why WannaCry Ransomware Took Down So Many Businesses | WannaCry Ransomware Wasn't The First Malware Using Stolen NSA Exploit | How To Protect Yourself From The Global WanaCry Ransomware Attack

Mitigation Strategies:

This Week's Suspicious IP Addresses

13.107.6.151 188.95.50.56
185.154.53.33 59.45.175.66
221.194.44.212 107.150.38.226

*IP addresses provided by Recorded Future.