Defending Organizations Through Expertise & Action.

Case Study: Ransomware Intrusion Investigation

Axion Global LLC Cybersecurity Solutions was engaged to investigate and respond to a ransomware-related intrusion impacting a customer environment. Initial analysis identified unauthorized VPN access using a compromised account that did not have Multi-Factor Authentication (MFA) enabled.

Following successful authentication, the Threat Actor (TA) deployed an unauthorized Remote Monitoring and Management (RMM) tool to establish persistence and facilitate additional activity inside the environment. The TA subsequently leveraged multiple commercially available tools to conduct reconnaissance, identify sensitive data repositories, and prepare information for exfiltration.

During the investigation, forensic artifacts and log analysis revealed that sensitive data had been staged and exfiltrated using Rclone, a commercially available cloud synchronization utility frequently abused during ransomware operations.

Key Findings

• Compromised VPN account without MFA protections enabled
• Unauthorized RMM deployment for persistence and remote administration
• Use of commercial reconnaissance and administrative tooling
• Data staging and exfiltration activity identified through forensic analysis
• Rclone leveraged for cloud-based data exfiltration operations
• Threat Intelligence review identified infostealer malware on a compromised endpoint
• Credential theft enabled abuse of legitimate user access

Response Activities

• Incident containment and credential invalidation
• Forensic imaging and endpoint artifact preservation
• Threat hunting across systems and VPN infrastructure
• Malware and persistence mechanism analysis
• Log correlation and timeline reconstruction
• Exfiltration verification and impact assessment
• Security hardening recommendations including MFA enforcement

---

Case Study: Adversary-in-the-Middle (AiTM) Email Compromise Investigation

Axion Global LLC Cybersecurity Solutions responded to a Business Email Compromise (BEC) incident involving an Accounts Payable employee whose corporate email account had been compromised through an Adversary-in-the-Middle (AiTM) phishing attack.

The incident was initially identified after the customer discovered fraudulent emails had been sent from a legitimate employee account to vendors and suppliers requesting unauthorized payment changes and fraudulent financial transactions.

Investigation of authentication logs, email activity, browser artifacts, and workstation forensic evidence determined the user had been lured to a fraudulent login portal masquerading as a legitimate cloud authentication service. The user unknowingly entered valid credentials and approved Multi-Factor Authentication (MFA) requests while interacting with the fraudulent site.

The Threat Actor leveraged an AiTM phishing framework to intercept session information and authentication tokens in real time. This allowed the actor to authenticate to the legitimate cloud email environment as the user, bypassing standard MFA protections and establishing an authenticated session.

Following account compromise, the Threat Actor monitored email communications, created fraudulent payment conversations with vendors, and distributed unauthorized financial requests that resulted in subsequent monetary loss.

Key Findings

• User credentials and MFA session tokens intercepted through AiTM phishing infrastructure
• Unauthorized access to legitimate cloud email environment
• Fraudulent vendor communications distributed from trusted user account
• Mailbox monitoring rules and persistence mechanisms identified
• Evidence of account reconnaissance and financial targeting activity
• Authentication logs correlated to suspicious geographic access patterns and session anomalies

Response Activities

• Containment of compromised accounts and revocation of active sessions
• Password resets and MFA re-enrollment procedures
• Forensic analysis of affected workstations and browser artifacts
• Review of email forwarding rules and mailbox permissions
• Threat hunting for additional compromised accounts
• Identification and notification of impacted vendors and suppliers
• Security recommendations including phishing-resistant MFA and user awareness training