Incident Response to a Cryptocurrency Attack
Fortunately, companies like IntaForensics provide a comprehensive and robust Incident Response programme, designed to investigate and remediate incidents of cyber-crime and protect their business against future attacks. In this week’s blog piece, we will walk you through a recent incident response case from our cyber security services. This will highlight the type of attacks companies can fall victim to and our process to remedy this.
IntaForensics was recently contacted by a medium-sized company that had identified suspicious activity in their network and wanted assistance in confirming if an incident had occurred. An immediate call was arranged with the client to ascertain what was already known and offer initial advice to the company.
Upon engagement we started by gathering evidence. IntaForensics acquired data from the Linux virtual server where the suspect activity had occurred and requested additional logging from the Intrusion Detection System (IDS) and other potentially relevant cloud services.
The client originally identified a possible issue when their IDS identified that a suspicious URL had been connected to from within their network. An IDS is a device or application that monitors networks and systems for malicious activity. The IDS highlighted the URL as a known cryptocurrency mining domain.
Stage 1: Initial Findings
The first step in the analysis stage was to review the initial findings by the client from the IDS log. This showed a connection to a known domain relating to a miner named ‘XMRig’. The log also highlighted the where the request originated from (the acquired Linux server).
Once we knew the potential mining tool in use, it provided the investigation with direction, as attackers tend to use similar attack methodologies. From a cyber criminal’s perspective, if it works, why change it? The ‘tmp’ directory is often used in these types of attacks, and upon inspection of this location, the mining tool XMRig was identified. This is an open-source application used to mine Monero cryptocurrency and was used legitimately by the client. A configuration file and log file were also present, detailing the successful mining which had taken place, along with the time stamps, mining pools used and encryption settings.
Multiple tools and investigation processes were run over the data set to ensure no other malware was present. These scans identified further malicious files, which were later confirmed as illicit following a manual review. The files included malware designed to enable remote command execution which could provide an attacker with remote access to the entire server. Further analysis checks were completed also but no additional findings were discovered.
Stage 2: Log Analysis
The next step of the analysis stage involved conducting log analysis. This started with the time stamps identified from the IDS log and the metadata associated with the malicious files. The review consisted of various logs including bash history, application logging, IDS logs and other cloud-based event logging. The analysis assisted in building the timeline of activity, however due to a limited log coverage (a common occurrence), the full picture wasn’t available from the evidence provided.
A vulnerability scan was performed against the server in question to assist in determining the root cause of the incident. This server was running a publicly accessible platform which was used by staff and thus was accessible over the internet. The scan identified a vulnerability within this platform. Open-source intelligence was used to confirm this vulnerability had been previously linked to this known attack and thus it is believed this vulnerability was exploited to gain unauthorised access to the server.
Stage 3: Containment and Recovery
Our investigation then moved into the containment and recovery stage. This is where the client was given security measures to contain the immediate incident and address the identified vulnerabilities. Upon discovery, the client was informed of the malicious files previously mentioned and advised to secure their urgent removal. The client was instructed to update the vulnerable application to address the security hole identified and to install anti-malware software on the server.
It is a common misconception that anti-virus software is not needed on non-Windows operating systems. This is incorrect as we routinely see breaches affecting Linux environments. Regular external testing (e.g., penetration testing and vulnerability scanning) was also recommended to the client. Further recommendations, designed to minimise any future risk., were also provided as part of the investigation.
Stage 4: Reporting
The final stage of the process was the reporting stage. This is where we formally detailed the steps taken, along with the findings of the investigation. This stage also consists of a ‘lessons learnt’ section, to enable the client to reflect on the incident and consider any additional suggestions made. In this case, our investigation emphasised the need to extend logging retention, the importance of patching and a critical review of the client’s initial response.
Upon completion of our investigations, we always aim to ensure that our clients are in a better security standing than prior to our engagement, and most importantly, do not fall prey to further attacks.
IntaForensics provides a comprehensive range of cyber security services designed to prevent, monitor, and respond to security breaches.
We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI DSS PFI and QSA, Cyber Security and Incident Response.
Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
To find out more about our services Tel: 02477 717 780 to speak with a member of our team or fill-in our online contact form.