Situation
NCC Group’s Security Operations Center (SOC) identified a potentially dangerous threat for an organization operating in the global commodities sector.
Upon receiving an alert during routine monitoring, NCC Group’s SOC analysts were able to identify, trace and contain the potential attack, communicating extensively with the customer throughout the incident.
Doing so enabled the organization to adjust their defensive posture, ensuring that they are better positioned to deal with similar attacks in the future
At a Glance
Organization - Global Commodities Organization
Industry - Commodities
Challenge - Providing a response to a dangerous threat identified by NCC Group’s SOC at the organization
Solution - NCC Group’s SOC analysts identified, traced, and contained the attack, nullifying the risk
Result - Due to the rapid response of the SOC analysts, the incident was able to be successfully contained, preventing the malicious actor from gaining access to valuable information
Challenge
An NCC Group customer in the global commodities sector was a victim of an attempted data exfiltration attack. Managed Detection and Response capability from the NCC Group Security Operations Center (SOC) Analysts identified the threat and contained it. Follow-up intelligence revealed both attribution and the likely intent of the attack.
During routine monitoring, NCC Group SOC received an alert from the endpoint detection solution indicating that unusual PowerShell activity had been identified. PowerShell is a scripting language that provides access to a machine’s inner core, including unrestricted access to Windows APIs.
PowerShell is often used by malicious actors as it can be relatively low profile; because it is an inherent part of Windows, the commands it executes are usually ignored by security software.
In this instance, a user was lured by a bogus Google Chrome update. This ‘update’ initiated PowerShell activity and tried to import and execute a malicious Dynamic Link Library (.dll) file. This in turn was designed to act as a loader for further pieces of malware, with the likely end goal of theft of commercially sensitive information.
Solution
NCC Group’s SOC analysts responded to this alert promptly and it was quickly triaged as a high priority. An initial notification was sent to the nominated customer contact. Concurrently, a more detailed investigation was initiated by a rapidly convened team of security and intelligence analysts.
Using Carbon Black they were able to quickly identify the source of the web shell and, more importantly, were able to identify what it was downloading.
At this stage, analysts took the decision to isolate the infected machine. This ensured that the second-stage malware could not be installed. This action contained the attack eliminating the possibility of a more far-reaching impact or wider propagation.
Having nullified the immediate risk, the Threat Intelligence team carried out an investigation to identify the source of the malware. Performing malware analysis on the .dllfile they were able to identify the username of the individual who compiled the .dll.
Then, using open source investigation, they identified another piece of malware compiled by the same username. This file was a log sorter designed to work with a variety of information stealers, one of which would likely have been dropped as part of the second-stage malware infection.
The team was able to identify adverts on dark web forums for this log sorter. As a result, they also identified social media accounts, a telephone number, and an associated bitcoin wallet.
Ultimately, they were able to identify and observe a private chat group for users of the log sorter, limited to a group of 450 Russian-speaking threat actors.
Result
The customer was kept updated throughout the investigation phase and a full debrief was given at the conclusion of the incident. Had the NCC Group SOC analysts not acted as decisively as they did there is a very real chance that the malicious actor could have established a persistent and undetected flow of classified information.
This could have trickled out of the corporate network undetected indefinitely. Instead, the customer was given the reassurance that the attack was identified and contained. The detailed analysis and attribution also allowed the customer to adjust their defensive posture and deliver enhanced and targeted security awareness training to their staff. In short, the customer emerged unscathed and better positioned to repel similar attacks in the future.
"NCC Group identified, traced, and contained a potentially dangerous threat for an organization in the global commodities sector thanks to a fast-acting and intelligence response from NCC Group's Security Operations Center (SOC) analysts"
Get Started on Your Cyber Security Journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.