How small businesses are not immune to sophisticated cyber threats.
Nicolas
CEO, Security Engineer
Engagement
We got contacted by Alain, the IT director of a local construction firm. He asked for our help following a potential security incident. He stated that his team was lacking the necessary skills and resources to determine the scope of the supposed breach.
The customer was primarily concerned about possible damages to the hosts' operating systems; the interuption of their operations, and the leaking of confidential data such as drawings or quotes from suppliers.
Information Gathering
We dispatched two security analysts to conduct a preliminary on-site assessment and an interview with the CEO and the IT manager who contacted us. During the interview, we attempted to reconstruct the incident timeline. It all apparently started when the CEO received and opened an email that appeared to originate from a long-standing and trusted contractor.
The CEO noted that while the email felt atypical, the sender's identity was legitimate. A claim that we technically confirmed; the email came from the supplier email system with valid DKIM signature. The email mentioned an invoice requiring prompt review. The latter was included in a ZIP archive. The company's email security filters and the CEO's host anti-virus did not detect any threats.
Upon the document opening, the latter failed to render correctly, causing the PDF reader application to freeze. The file was subsequently forwarded to a secretary, who experienced the same technical issues. At this stage, the incident was attributed to a file corruption error rather than a malicious activity.
The plot thickened when the CEO and his secretary called the contractor to know more about the invoice. The contractor then confirmed they had not sent any such email, revealing the message to be a sophisticated cyber attack.
Technical Investigation & Findings
Following the initial report, we immediately advised the client to isolate the CEO's workstation to contain the potential threat. Our subsequent forensic analysis revealed a multi-stage compromise:
- The PDF file contained a malicious payload acting as a first-stage dropper.
- This dropper successfully established a connection to an command and control (C2) server through the Tor network, to download and execute a second-stage payload.
- The malware achieved persistence by writing itself to multiple locations within the operating system.
A deeper analysis of the malware's code uncovered its sophisticated capabilities:
- Data Exfiltration: The program was designed to identify and exfiltrate sensitive company documents using complex regular expressions.
- Financial Targeting: It contained functionality to detect and monitor browsing activity on major Swiss banking websites.
- C2 Communication: The malware maintained robust communication channels with its C2 server to receive commands, upload stolen data, and potentially update its own code for new functionalities.
Initial Assessment & Client Awareness
We provided the client with a comprehensive report of the initial assessment of their IT infrastructure, supplemented by a brief penetration test. This exercise demonstrated how easily a threat actor could penetrate and laterally move through their network undetected.
These initial findings served as a critical wake-up call for the leadership and the IT team. Notably, the breach occurred without triggering any alerts from the company's Endpoint Detection and Response (EDR) platform, which represented a significant investment. This incident underscored the critical gap between purchasing security tools and effective configuration and design to defend against modern, targeted threats.
Towards a Secure Network
Following this preliminary engagement, the client entrusted us with the redesign of their IT infrastructure including the network, the hosts, and part of the services such as data storage and user identification.
