January Security Incident Follow-up Report
In January 2014, eWON had been victim of a cyber-attack. All necessary counter-measures were taken within a couple of days to protect both eWONs and our customers’ assets. No suspicious activity has been detected since then. This Incident Follow-up Report describes the main actions performed as of January 27, 2014 regarding the Security Incident ref #4922
- January 27, 2014Raise of Cyber security Incident #4922
- January 30, 2014End of security incident #4922
- June 30, 20145 months later, Symantec publishes its Dragonfly Report
- July 3, 2014Incident follow-up report
Incident Description: Reminder
Back in January 2014, the eWON commercial web site www.ewon.biz had been compromised. A corrupted eCatcherSetup.exe file had been uploaded into the CMS (Content Management System) of www.ewon.biz web site. eCatcher download hyperlinks were rerouted to this corrupted file. The corrupted eCatcherSetup.exe contained a malware which could, under restricted conditions, compromise the Talk2M login of the infected user.
The Talk2M database and infrastructure -all components- were not impacted. Indeed, Talk2M is hosted in distinct datacenters from hosting companies and implements much higher security standards.
eWON took several actions to counteract the attack. A security incident report, ref: #4922, was published on January 30, 2014 to inform our customers about the nature of the incident and the associated actions that were taken. Information was also published on our commercial websites and is still available here.
The intrusion targeted eCatcher 4.0 specifically. No other version was compromised.
Immediate Corrective Actions Follow-up
The majors’ corrective actions completed by January 30, 2014 were:
Jan 27 (Day 0):
- Compromised website immediately cleaned and secured.
- Reset all user passwords.
- Identify infected users within the company. None found.
Jan 30 (Day 3):
- Disable access to the platform using potentially compromised software.
- Public release of eCatcher 4.1 software upgrade to address the vulnerability:
- This version is immune to the malware.
- This version contains an automatic detection and removal tool of the malware
- Permanently disable all access to the platform using potentially compromised eCatcher 4.0. Force users to upgrade to eCatcher 4.1.
- Identification of all new users and password changes that could potentially have been done by the attackers.
- Submission of malware information to McAfee
- Official report published on our eWON and Talk2M web site and emailed to our customer database. and the publication of a security incident report, ref: #4922
- An official claim to the Federal Computer Crime Unit has been posted
The results are:
- No more connection with possibly compromised software eCatcher 4.0 from January, 30
- All potentially compromised logins have been invalidated to prevent unauthorized use by attackers.
Permanent Corrective Actions
As security is a major concern for eWON and its customers, a plan is setup for a continuous improvement of our solutions:
- Additional actions are taken for long term strengthening of our commercial websites.
- Malware auto-removal tool embedded in all versions of the eCatcher setup
- eCatcher software and all other downloads are stored in a single protected place separate from the corporate web site.
- Implementation of Talk2M Double Factor Authentication (Additional confirmation of user identity through sending of an SMS on predefined user mobile phone).
- Update Internal Incident report process with immediate submission of malware/threat information to anti-virus major companies, CERT teams and cyber security professionals.
Thanks to a deep analysis of the attack, established cyber-security companies including F-Secure and Symantec, have recognized that the attack that targeted eWON in January 2014 was conducted by a group of hackers known as EnergyBear (aka DragonFly, as named by Symantec). The malware developed by these hackers is known as Havex Rat.
For additional information, please read the related F-secure or Symantec blog posts:
http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat-energetic-bear (This report is partially based on information disclosed by eWON to Symantec)
Five months after the incident, we still currently have no indication that there has been unauthorized activity on any Talk2M account.