Pure Storage Breach Incident Score: Analysis & Impact (PUR4402144112025)

In this Rankiteo incident briefing, we review the Pure Storage breach identified under incident ID PUR4402144112025.

The analysis begins with a detailed overview of Pure Storage's information like the linkedin page: https://www.linkedin.com/company/purestorage, the number of followers: 530111, the industry type: IT Services and IT Consulting and the number of employees: 7087 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 766 and after the incident was 668 with a difference of -98 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Pure Storage and their customers.

A newly reported cybersecurity incident, "Global Data Storage Company Hit by Akira Ransomware via Fake CAPTCHA Attack", has drawn attention.

A global data storage and infrastructure company faced a severe ransomware incident after an employee unknowingly initiated an attack through a fake CAPTCHA challenge.

The disruption is felt across the environment, affecting virtual machines, domain controllers and cloud backup containers, and exposing 1 TB (confidential archives, PII, and operational data).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like isolation of affected systems, deletion of attacker backdoors and revocation of compromised credentials, and began remediation that includes rebuilt servers and domain controllers with hardened configurations, network segmentation and Kerberos ticket rotation, while recovery efforts such as restoration from backups (partial, due to deleted cloud containers) and reconstruction of encrypted networks continue.

The case underscores how completed (post-incident analysis and remediation implemented), teams are taking away lessons such as Advanced security tools (EDR/SIEM) are ineffective without proper tuning and active monitoring, Visibility gaps between log collection and threat detection enable prolonged intrusions and Social engineering (e.g., fake CAPTCHA) remains a potent initial access vector, and recommending next steps like Implement and tune EDR/SIEM platforms for active threat detection (not just log collection), Deploy network segmentation to limit lateral movement and Enforce Kerberos ticket rotation and privilege access management (PAM).

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (95%), supported by evidence indicating fake CAPTCHA challenge on a compromised car dealership website (ClickFix script) and Drive-by Compromise (T1189) with high confidence (90%), supported by evidence indicating malicious script (ClickFix) deployed via compromised website. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: PowerShell (T1059.001) with moderate to high confidence (85%), supported by evidence indicating sectopRAT (NET-based RAT) implies script-based execution and Command and Scripting Interpreter: Visual Basic (T1059.005) with moderate to high confidence (80%), supported by evidence indicating clickFix script (often VB-based) for initial payload delivery. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with high confidence (90%), supported by evidence indicating command-and-control backdoor established post-exploitation, Valid Accounts: Domain Accounts (T1078.002) with high confidence (95%), supported by evidence indicating stole domain admin credentials for persistent access, and External Remote Services (T1133) with high confidence (90%), supported by evidence indicating sectopRAT (RAT) for persistent C2 communication. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with high confidence (95%), supported by evidence indicating stole domain admin credentials via reconnaissance and Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001) with moderate to high confidence (85%), supported by evidence indicating weak credential management (golden ticket risk) and post-incident Kerberos ticket rotation. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with high confidence (95%), supported by evidence indicating deleted cloud backups to hinder recovery, Impair Defenses: Disable or Modify Tools (T1562.001) with high confidence (90%), supported by evidence indicating poor tuning of EDR platforms enabled evasion; attackers exploited visibility gap, and Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating fake CAPTCHA mimicked legitimate website functionality. Under the Credential Access tactic, the analysis identified OS Credential Dumping: LSASS Memory (T1003.001) with high confidence (90%), supported by evidence indicating stole domain admin credentials via post-exploitation tools and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (80%), supported by evidence indicating likely used to harvest credentials during lateral movement (implied by RDP/SSH/SMB abuse). Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with high confidence (90%), supported by evidence indicating reconnaissance phase targeting domain admin credentials and System Network Configuration Discovery (T1016) with moderate to high confidence (85%), supported by evidence indicating lateral movement via RDP/SSH/SMB suggests network mapping. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with high confidence (95%), supported by evidence indicating lateral movement via RDP, Remote Services: SSH (T1021.004) with high confidence (95%), supported by evidence indicating lateral movement via SSH, and Remote Services: SMB/Windows Admin Shares (T1021.002) with high confidence (90%), supported by evidence indicating lateral movement via SMB. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating exfiltrated ~1 TB of confidential data using local tools and Data Staged: Local Data Staging (T1074.001) with high confidence (90%), supported by evidence indicating winRAR used to stage data before exfiltration. Under the Command and Control tactic, the analysis identified Proxy: External Proxy (T1090.004) with moderate to high confidence (85%), supported by evidence indicating sectopRAT (RAT) implies C2 traffic via proxied channels and Non-Application Layer Protocol (T1095) with moderate to high confidence (80%), supported by evidence indicating c2 backdoor likely used non-standard protocols to evade detection. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Channel (T1048.002) with high confidence (90%), supported by evidence indicating fileZillaPortable (supports SFTP/FTPS) for exfiltrating 1 TB and Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), supported by evidence indicating possible use of HTTP/HTTPS or DNS tunneling via FileZilla. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), supported by evidence indicating encrypted networks using Akira ransomware, Data Destruction (T1485) with high confidence (95%), supported by evidence indicating deleted cloud backups to prevent recovery, and Endpoint Denial of Service: Application Exhaustion Flood (T1499.004) with moderate to high confidence (80%), supported by evidence indicating complete operational shutdown via encrypted VMs/networks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.