How to detect and mitigate GOLD TAHOE attacks
Exploiting file transfer services gives threat groups like Clop operator GOLD TAHOE, the group behind the MOVEit Transfer attacks, access to shared files. Some of these may come from third parties, as for example in the Zellis payroll compromise which formed part of the MOVEit Transfer attacks.
HOW GOLD TAHOE (TA505, FIN11) CONDUCTS ITS ATTACKS
Enforce a retention policy on shared files to ensure data is available for only as long as it is needed.
Protect highly sensitive data (like PII) with file level encryption that requires a key that is not stored on the file sharing service.
Implement auditing so that if a breach occurs it can be quickly determined what files were present during relevant time period(s).
Implement network flow monitoring to detect and alert on large data transfers for on-premises solutions.
Encrypt data in transit and at rest
Enable alerting that indicates when files are being accessed and monitor for anomalies.
Download the Secureworks State of the Threat report for more advice on securing your most valuable business assets.
READ STATE OF THE THREAT REPORT
Exploiting file transfer services gives threat groups like Clop operator GOLD TAHOE, the group behind the MOVEit Transfer attacks, access to shared files. Some of these may come from third parties, as for example in the Zellis payroll compromise, which formed part of the MOVEit Transfer attacks.
HOW GOLD TAHOE (TA505, FIN11) CONDUCTS ITS ATTACKS
While there is little an organization can do to prevent a breach of a trusted third-party, especially through the abuse of a zero-day vulnerability in the vendor's platform, these steps help detect and mitigate the threat posed by GOLD TAHOE.
© 2024 SecureWorks, Inc. All rights reserved.