After being infected by an aggressive form of malware, a private healthcare organisation leveraged support from Redscan’s ThreatDetect™ EDR service to help eliminate it quickly and effectively.
As a private healthcare organisation, Redscan’s client processes large volumes of patient data, including highly sensitive medical records.
To improve the protection of this information beyond the level of security offered by traditional perimeter solutions, the organisation is a subscriber to ThreatDetect - a specialist managed detection and response service supplying the people, technology and intelligence needed to swiftly identify and help address a wide range of threats.
When Redscan’s client was targeted by a sophisticated type of malware that sought to harvest employee credentials and exfiltrate data, Redscan’s experts were on hand to quickly identify, investigate and respond to the attack to minimise operational disruption and prevent patient details from being stolen.
Proactive Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) monitoring are key features of Redscan’s ThreatDetect Network MDR service that help to identify attacks targeting on-premise, cloud and hybrid IT environments.
Having first become aware of some suspicious port-scanning activity on the client’s infrastructure, Redscan’s Cyber Security Operations Centre (CSOC) analysts were aware that an attack could be imminent.
Endpoint Detection & Response is an optional, but increasingly valuable part of the ThreatDetect service that Redscan delivers to its clients. In this case, Carbon Black’s Response solution was deployed across a series of the organisation’s endpoints deemed to be high risk, enabling Redscan’s CSOC analysts to achieve greater event visibility, enhance threat hunting and perform swifter incident response.
On this occasion, it was Cb Response that first alerted the Redscan team to the presence of malware on two of the client’s host machines. A Redscan analyst set about quickly investigating the alarm and within several minutes was able to establish that the alert was a true positive. Malware with an unknown signature had been detected and was attempting to terminate and delete the host’s Windows Defender Service, as well as connect to a series of known malicious IP addresses.
A priority two (P2) incident was promptly raised to the client by the CSOC via Redscan CyberOps, the threat notification and analytics platform included as part of ThreatDetect. By accessing CyberOps, the client was able to obtain a full overview of the incident and the remediation guidance needed to respond accordingly. On this occasion the advice was to isolate the infected hosts from the environment, perform a full malware scan and block the observed malicious IPs at the perimeter firewall.
That wasn’t to be the end of the incident however.
Increasing incident severity
Almost immediately after notifying the client of the incident, the Redscan team detected the same malware on two additional hosts, prompting the incident to be escalated to a P1 – a level of classification reserved for critical incidents which pose an extremely high degree of risk.
Redscan’s incident response playbook for malware infections was in full execution at this point. To prevent additional infections, the CSOC used Cb Response to ban the signature of the identified malware binaries and, with the client’s authorisation, used the same tool’s incident response capabilities to quickly isolate all infected hosts from the network.
Investigating the kill chain
Upon containing the malware, the Redscan team set about analysing the kill chain of the attack – how it was able to obtain a foothold on the client’s network and spread so quickly.
By recording each and every file execution and modification, registry change, network connection and binary execution across all installed hosts, Cb Response is an important tool that helps the
Redscan CSOC team perform more detailed digital forensics to inspect deeper into IT networks for signs of malicious activity.
One of the binaries that Cb Response identified was attached to the roaming Windows® profile of one particular employee, who had logged into multiple endpoints, thus spreading the infection in the process.
The malware detected, Trickbot, was a Trojan designed to harvest user credentials, exfiltrate data and add infected hosts to a botnet of devices.
While forensic investigation of network and endpoint log files revealed no evidence of data loss, the malware was observed to have conducted an internal network IP scan – designed to obtain
DNS information about the network which could be used to help attackers spoof network addresses for social engineering scams.
Owing to the advanced, persistent nature of the malware, identifying the source of the attack proved harder to ascertain. Previous variations of the Trickbot malware are known to be widely distributed by spam emails as well as infected attachments and URLs. The team had no reason to suspect that the source of this infection was anything different.
A highly persistent threat
In the week that followed detection of the original four malware infections, the Redscan’s CSOC team observed 12 additional malware binaries resident on hosts, each with a different signature and attempting to communicate with malicious IP addresses in locations including Russia, Germany, France and Canada. The new infections were linked to the roaming profiles of a number of employees, including a system administrator.
Whenever a new infected host was identified, it was quickly isolated from the network for a minimum of 12 hours and scanned to remove the infection. As an additional precaution, particularly given the evidence that a system administrator had been compromised, all of the client’s employees were encouraged to reset their Windows login credentials.
Further forensic investigation by the Redscan team revealed references, within the malware’s code, to RDP-related registry keys. Disabling remote desktop in Windows to mitigate the risk of any unauthorised connections was subsequently recommended.
Preventing future incidents
After receiving confirmation that all infected machines had been successfully cleaned, and with no new infections reported, the incident was finally closed by the Redscan team. Given the severity of the incident, a detailed report was prepared for the client. This included a full event timeline, detailing all actions taken, and a list of recommendations to help mitigate the risk of future attacks.
The advanced persistent nature of Trickbot, and other forms of malware, means that future attacks cannot be discounted. With ThreatDetect Network MDR and Endpoint EDR, the client can be sure, however, that it will be ready to respond quickly and effectively should any anomalous activity present itself.
Ensure that antivirus software is continually updated to detect the latest malicious file signatures.
Block external IP addresses identified as malicious to prevent malware from receiving instructions from a Command and Control (C2) server.
Any infected machines should be isolated from network as soon as possible, scanned to quarantine any infection, and left in isolation for a minimum of 12 hours.
Regular security training can help to instil best practice and improve awareness of the latest social engineering and malware attacks.
Use of MFA provides an extra layer of authentication by requiring users to enter a verification code, received via phone call, text message, or a mobile application, to access systems that process personal data.
“Redscan staff are always on hand to provide swift, clear advice. They help us keep a constant eye on our network and respond quickly to incidents to ensure systems remain operational.”
"Our partnership with Redscan has been one of the most successful that we have ever undertaken"
"Redscan's cost effective service gives us peace of mind that we are doing all we can to protect our clients, our business, our staff, our counterparties and other partners"
"We have been very impressed by the quality of Redscan’s engagement, communication and reporting. We will not hesitate to use them for any future testing requirements."
“Services like ThreatDetect are few and far between.”
from blog
Penetration testing (or pen testing) should form a crucial part of every cyber security strategy, but to get the most value from assessments, organisations need to ensure that …
Last updated: 20th January, 9.45am. A critical Citrix vulnerability (CVE-2019-19781) is currently under mass exploitation. To detect if your organisation is compromised, Redscan has developed a script that …
This content is blocked. Accept cookies to view the content.
We use cookies for security, to optimise your browsing experience and anonymously analyse site traffic.
Accepting necessary cookies is required to provide you with a minimum level of service. Cookie Statement
