Situation
NCC Group was approached by a customer who had noticed several suspicious connections originating from their network, destined for a customer of theirs. This customer had many contracts with foreign governments, providing IT services and consulting.
Our customer believed they had contained the incident, but further investigation determined there was more to learn from the compromise before removal.
It was agreed that NCC Group would provide an EDR solution for the duration of the incident to help with detection and analysis.
At a Glance
Organisation: Software development
Industry: IT/Technology
Challenge: Highly sophisticated threat actor had maintained elevated access over considerable part of the environment for months.
Solution: NCC Group enabled the client to increase their visibility in the environment while tracking the threat actor’s activity and reverse engineer their custom tooling to achieve a successful eradication outcome.
Results: The full extent of the compromise was identified, and the threat actor was successfully removed from the environment. The client improved their overall security posture and additional recommendations to further fortify the environment were provided, as well as additional reports to satisfy any enquiring authorities.
Challenge
Although their Linux estate was untouched, the actor was able to move through four different Windows domains with relative ease and had unknowingly been on the network for four months before the suspicious activity was detected. There had been an attempt at containing the incident prior to NCC Group’s involvement, but analysis of the network data found that a single host on the network was still communicating with a modular malware platform.
In order to move forward, it was going to be imperative to identify the tools used and trace the movements of this sophisticated threat actor.
The customer had also been in contact with a national CERT and relied on our team to provide feedback on their behalf and share any indicators of compromise.
Solution
NCC Group identified several backdoors during the initial investigation- most notably ShadowPad.
The distribution of this particular remote access trojan is tightly controlled and is typically exclusive to China-based actors, which this team later validated when the actor was most active on the network.
Initial access was confirmed to have occurred months before NCC Group was contacted, via a vulnerable internet-facing server. The threat actor uploaded numerous web shells and then deployed Poison Ivy malware before moving laterally through the IT environment.
After consulting, the client asked the service team to implement an Endpoint Detection and Response (EDR) solution for the duration of the incident to help with alerts and analysis. Using a passive configuration, it was now possible to watch and dissect the actor's actions.
The EDR was leveraged to pull forensic triage data, removing the need for obtaining full disk images unless specifically required. In some cases, though, comprehensive analysis was necessary, such as when trying to identify patient zero's entry vector.
Result
Due to the complexities of the incident, NCC Group provided regular, daily updates to the client and their stakeholders. These reports clearly presented the details of the work done that day, new findings or activity, action items for the client, and the strategy for the following day.
At the end of the engagement, the customer received a full written report that included detailed accounts of evidence, event timelines, executive and technical summaries, and recommendations for specific security improvement based on the investigation.
In addition, our experts provided a customer-facing report in case third parties requested more information about the incident. It included an executive summary and a list of Indicators of Compromise (IOC’s) to empower them to hunt in their own network.
NCC Group exists to make the world safer and more secure.
As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.
Get started on your cyber security journey.
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cyber security needs.