True digital crime E01Pt04: Response

Part 4 - unravelling the hijack hack of a major retailer’s diverse endpoints and network.

Cont’d from Part 3

The Twins

They called themselves “T1” and “T2”. The many-times-repeated family story centered on their grandfather. One day he arrived at the house with twin t-shirts. One tee had T1 and the other tee had T2 on the front. And then the nicknames just stuck through school and beyond. While T1 and T2 were highly similar people, they recognized early on that they had a true left-brain right-brain difference in their thinking. And while some might see that as a divide, it actually brought them together on problem-solving.

Pat didn’t surprise them when asking for a double shift — their specialty. T1 went high. T2 went low.

T1

T1 used data coming in from T2 and others to put together the high-level picture and action plan. T1 followed the breadcrumb trail back to a series of phishing emails produced by certain employees. T1 soon recognized that they were unwilling victims. In fact, their personal credentials were part of a previous data leak. Attackers reused the passwords from the leak on the respective corporate email accounts. They kept trying until they got “in”.

The attackers infected all phished computers with a self-replicating coin miner that spread through the network in a matter of hours. Internal emails fanned out to phish other users, including one IT Administrator. That IT admin’s machine was compromised with custom malware and used to move laterally to different servers. The team discovered a custom python backdoor on that IT admin’s system. Not surprisingly, they also discovered a custom backdoor on infected servers. The backdoor facilitated persistence on the network and the attackers used it to monitor and expand their activities.

T2

T2 started by identifying infected machines… and noted that the local antivirus was not detecting the malware. T2’s first strategy was to briefly isolate a small set of infected machines… remediate… then watch for lateral movement and re-infection. With that data in hand, T2 created a Detection Strategy (or in ReaQta, abbreviated to “DeStra”). 

T2’s second step was to develop a playbook to clean up infected remote employee computers. Of course, this had additional complications. Their connections to the C2 could not be severed. And, like a boomerang, the remote-working VPN was also a facilitator of re-infection. 

Like an orchestra conductor, T2 deployed the ReaQta playbook of sequenced actions to briefly isolate and remediate systems. On the retail façade side of things, it was barely noticeable. The big weekend sale probably helped. There were brief moments of eye-rolling at the registers when a “System Busy” box appeared for a few seconds then disappeared. Most people – employees and customers – just figured that the system was being overloaded by transactions. 

After 16 hours, T1 and T2 wrapped and reported to Pat. Then they bounced out the door. They couldn’t agree on what to order in for dinner. As they exited, they already were down to three options. They settled on all three dishes to ensure leftovers. Pat grinned.

Pat

24 hours after receiving the client’s call… Pat convened a project review meeting with the client. Pat opened the meeting with a big smile and said, “I have good news!”

Did you know this outrageous cybersecurity statistic? In 2021 alone, companies in Canada, the US and elsewhere paid out almost $USD 1.2 billion in ransom. And did you know that, meanwhile, companies protected by ReaQta have NEVER been breached and have paid ZERO ransom dollars? It's true. Whether it’s “Black Basta” or any other ransomware-as-a-service attack, IBM’s ReaQta can protect your company’s endpoints. We’d love to meet with your company’s endpoint cybersecurity professionals. Please contact me for more information – or make a LinkedIn introduction to your colleagues. Let’s start a conversation.

*******

About ReaQta

ReaQta was founded by an elite team of offensive and defensive cybersecurity experts as well as AI researchers. Combining these fields of expertise, the ReaQta team built a powerful Active Defense Intelligent Platform. 

Our solution provides clients with advanced detection and response capabilities, without requiring additional or highly skilled personnel. This innovative approach applies the latest AI algorithms to automate and simplify the process of detecting and handling new threats.

On this single, highly integrated AI Powered Endpoint Defense Platform, our clients gain flexibility and speed in performing complex analysis that were only possible with large and high specialized teams. It is a dynamic approach that doesn’t just protect organizations in the here and now, but also far into the future. 

With ReaQta, businesses are empowered to pursue growth and ambition fearlessly.

True Digital Crime E01Pt01: Façade

True Digital Crime E01Pt02: Insiders

True Digital Crime E01Pt03: +8 hours