We often talk about data protection and how to protect against exfiltration as malware and ransomware attacks of different types continue to proliferate. Nevertheless, the reality is that companies are still doing too little.
Cyberoo’s Incident Response team was recently engaged by a company after a PC used for quality control on a production line was compromised via Stealer.
The incident response activity, extended over the entire infrastructure of the company attacked, did not detect any indices of compromise except for the PC in question, which was the subject of several connections from outside via remote access software.
Forensic analysis revealed a connection during off-hours using restricted access credentials. It became evident that the credentials ended up in the hands of malicious actors.
While the company’s IT staff, following the directions of the incident response team, proceeded to change all credentials and implement multi-factor authentication on every application and system that could handle it, Cyberoo analysts were able to analyze user endpoints and found the presence of Stealer-type malware on one of them.
Not only that. The presence of a file containing sensitive information (including credentials), the absence of an EDR and an unsupported version of the operating system also emerged.
This attack has cost the company three days of shutdown of the production and logistics department since there were no backups. It has been necessary to completely reinstall and recover the little data available in the compromised PC by data carving.
Malware: the negligences that facilitate the attack
Obsolescence of software, neglect of credential safekeeping, and abuse of superficially configured and almost never updated remote access tools make life easy for attackers and produce incalculable damage to companies.
In addition to this, there are still many organizations that do not implement adequate procedures and technologies to manage the supply chain, that do not have adequate backup policies, and that do not subscribe to cyber intelligence services that can detect, among many other things, the presence in the dark web of credentials that can be traced back to their reality so that appropriate countermeasures can be taken quickly.
