High-Profile Corporation Breach Requires Mandiant’s Investigative Expertise
One of Asia’s oldest financial services providers was breached and they required assistance. The bank’s staff discovered that a suspicious login had enabled unrestricted access to thousands of systems across the enterprise. The bank retained Mandiant to assist with an internal investigation based on its global reputation for advanced threat response.
- 3 familiar malware families identified: whiteout, slimdown, and nestegg
- Stop renewed attacker activity via ACLs, two weeks after initial breach
- Plan aggressive remediation plan, covering short-, medium-, and long-term timeframes
Challenge
96 Systems Breached by Attackers Using Trusted business relationships
On “D” Day—discovery day—the bank’s staff was unable to access a domain controller—a server that responds to security authentication requests within a Windows Server domain. An internal investigation discovered a breach and the organization knew they needed assistance.
Mandiant Incident Response services helps organizations evaluate if they have been compromised by advanced attack groups and determine if criminals are still active within the environment. Using experience gained over thousands of investigations, findings revealed the breach followed a pattern that was very familiar to the Mandiant experts.
The attackers leveraged a subsidiary’s genuine enterprise management tool used by the bank’s IT staff, to blend into the bank’s environment, which made it difficult to differentiate malicious behaviours from legitimate activities.
The Mandiant team confirmed the presence of breach artifacts on 96 systems—26 servers and 70 workstations—and 30 systems were found to have active malware running at the time of investigation.
Solution
Backdoors revealed, targeted advanced malware attack blocked
The Mandiant Incident Response team recovered numerous advanced malware samples that blended in with commonly installed utilities on the bank’s systems.
A spokesperson noted, “The Mandiant team’s analysis of the remaining malware samples showed that the attackers had utilized encryption, anti-forensics, and other sophisticated techniques to permit their malware to operate in a manner that evaded detection by the bank’s security infrastructure.”
Analysis of the backdoors revealed that they contained hardcoded IP addresses for the bank’s web proxy devices, along with compromised credentials that permitted attackers to establish communications with the Command and Control (C2) infrastructure. The level of customized malware left no doubt this was a targeted attack, and the bank was an explicitly chosen victim.
Within a couple of days of the Mandiant Incident Response service starting, the bank deployed measures that resulted in the successful blocking of the attackers’ C2 infrastructure access. In addition, communication between the subsidiary and the bank was halted to mitigate any further lateral movement attempts by the perpetrators.
Results
Renewed access re-blocked, tactics recorded to prevent future attacks
Two weeks after the initial attacks, Mandiant identified renewed activity. One of the bank’s trusted providers investigated how the attackers regained entry, and immediately corrected and re-blocked the access.
The attackers retreated once they realized that the bank was tracking their activity, uncovering backdoors, and eradicating the threat. Mandiant constructed an aggressive remediation plan—covering short-term, medium-term, and long-term timeframes—and provided guidance and supervision for external vendors involved in the detailed plan.
The threat actors’ capabilities indicated they are a well-funded, highly organized group. The Mandiant team found no evidence to suggest the involvement of bank personnel or its extended staff. Profiles and characteristics for the tactics and techniques used by the attackers were uploaded to Mandiant’s global Advanced Threat Response Centers to further enhance its threat intelligence for the future.
More About Company
One of Asia’s oldest and most-trusted financial services providers
An established and profitable financial services provider in Asia, the bank offers a wide range of banking and financial products and services for both retail and corporate clients. It is a high-profile corporation with trusted subsidiary partners, which led to it being targeted in a professionally orchestrated malware attack.