Saturday, February 21, 2015

Fighting a Hydra named Drye/Dyreza/Upatre

So pretty much for the past month across the ranchlands, we have been doing non-stop battle with a nasty piece of work known as Drye/Dyreza/Upatre.

From all appearances it slipped in past the security perimeters via an outside email source and bundled with a simple social-engineering attack email body, the trap was laid.

Patient-zero clicked the attachment to view a “fax message” helpfully attached to the email and the game was on.

Gradually the various security and response teams were able to tighten the noose and finally gain the upper hand.

Our network deep-packet inspection tools were quickly refined and able to better hone-in and identify infected systems’ communications so they could be targeted for remediation.

The noose tightened as our email systems were able to be updated to filter out emails containing these payloads and prevent them from reaching employees.

Momentum mounted as our AV providers’ signature detection file sets caught up and became sharper and significantly more effective with on-system detection.

Fast responding network administrators were able to use the gathered incident intelligence and track down infected systems showing up in various reports and disable them from the networks.

Relentlessly persistent technical first-line teams were able to secure-wipe and reimage infected systems as they were detected and eventually return the users to production capability.

Passwords were changed and users of infected systems strongly encouraged to change any personal passwords as well if they had logged into any non-business secure websites – say online banking or bill-paying sites.

So here are some resources regarding this particular type of malware; it pays to know your enemy.

Constant Vigilance!

--Claus Valca

No comments: