June 16, 20120
Case: Banking & Finance
Location: South East Asia
Brief: RP-DS was contacted by a bank to investigate a suspected data breach. A security alert from the corporate IT department of the bank raised suspicion. A single corporate computer in the South East Asia regional office was the source of the alert. It was suspected that the user of the computer had tried to hack into restricted area of the corporate network that he was not given the privilege to access. Several failed login attempts alerts were also originated from this particular computer.
Procedures: RP-DS was onsite within the 24 hours and began the investigation work. Onsite response work revealed the truth, outside forces were at work. After investigation, our initial response was to forensically image the disk and do live memory imaging of the suspect’s workstation. Time was of the essence in tracking down the source of the security breach. Therefore, we additionally did forensic imaging of the local office’s servers as well. This revealed the spread of the malware. We then tracked the point of entry of the malware. Our remediation and clean-up operation then closed the security loopholes that were exploited by the malware. After which, all infected computers on the bank’s network was ensured to be free from the malware and other related security issues.
Outcome: Evidence gathered indicated that a mainland China operation had targeted the bank. They have created Zero-day malware that could not be detected by the bank security or antivirus software. This malware initially gave access to the particular computer in question. Evidence found also show that the malware planted was coded to log every password that was entered on the computer.
When administrators had logged onto the initial machine to investigate the source of the alert, their passwords were captured by the malware. Further investigation also show that the password logging software and malware had spread to the bank corporate servers, using the administrator password that was captured.
Further investigation showed that the password for the entire bank had actually been stolen. The attacker had free access to all data on the bank’s corporate network. Proximate cause and point of entry of the cyber breach had been identified. Immediate remediation work was carried out by RP-DS to clean up the malware and plug security holes.