Unravelling the hijack of a major retailer’s diverse endpoints and network
It could have been something out of the “Old West”. A Threat Actor (TA) cleverly left a major European retailer’s cash registers running with just enough processing capability… and, then, behind that working façade, TA launched a major bitcoin mining operation with this exploited network. The scale? Picture 3,000 shops… tens of thousands of employees (many of whom were remotely enabled). And a vast array of vulnerable endpoints.
Previously, the company’s main security operation used a traditional antivirus piped data into a SIEM. Due to the large volume of financial transactions, loss of server uptime was not an option. This constraint reduced the patching level on certain endpoints, exposing them to possible threats. The large number of remote employees posed a major security challenge, as monitoring and response capabilities were minimal or non-existent for those endpoints. This represented additional concerns in both pre-attack and post-breach scenarios. A similar issue was present on all off-site computers used in thousands of different stores.
Enter TA’s customized malware, fully equipped with its SMBGhost (CVE-2020-0796) exploit to propagate autonomously within the entire infrastructure. TA’s bitcoin-mining breach…
…TO BE CONTINUED… (DM for the full story).
