Source |
AlienVault Blog |
Identifiant |
2526378 |
Date de publication |
2021-03-24 10:00:00 (vue: 2021-03-24 11:05:34) |
Titre |
Stories from the SOC – Propagating malware |
Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
While freeware does not have monetary cost, it may come at a price. There may be limitations to freeware such as infrequent updates, limited support and hidden malicious software. Some freeware programs may have added software packages that can include malicious software such as trojans, spyware, or adware. It’s important to have additional layers of defense to provide that your environment is protected.
The Managed Threat Detection and Response (MTDR) analyst team was notified of malware on a customer’s assets who frequently uses freeware. The primary piece of malware that was detected by Cisco® Secure Endpoint (formerly AMP for Endpoints) did not appear to be particularly malicious, so the investigation was originally reported as a medium severity. After some time, several alarms were raised due to additional malware that was encountered on multiple assets within the customer’s environment and it was determined they were likely caused by freeware. After some investigating, a report was created by the analyst containing a list of infected machines, files, and their related malware families. The severity of the investigation was changed to a high severity, and the customer was notified based on their incident response plan (IRP) to begin immediate remediation efforts.
Investigation
Initial Alarm Review
Malware Infection
Cisco Secure Endpoint – Threat detected
The Initial alarm was raised due to a piece of malware detected by Cisco® Secure Endpoint that was indicative of a single malware infection. The first detection that emerged appeared to be benign, as it was reported by multiple open source intelligence (OSINT) sites as known-clean files. Due to the detection of this original file, this investigation was set at a medium severity as a precautionary measure.
After some time, additional alarms were raised that were indicative of a deeper, more malicious infection. It became clear that additional investigation was necessary. During the investigation, nearly two hundred events of varying malware infections were detected, indicating there was propagating malware.
The detected events of malware were filtered for benign hashes using the AT&T Alien Labs Open Threat Exchange (OTX) as well as other OSINT sites. The malicious files were organized into a report with infected files, hashes, as well as a list of the fifty suspected infected assets. After the report was organized and the additional alarms were posted within the investigation, the severity was increased from medium to high to prompt immediate customer response and quarantine of these threats.
Expanded Investigation
|
Envoyé |
Oui |
Condensat |
your across added additional advertising adware after alarm alarms alien already amp analyst appear appeared appears are assets at&t attempt based became been begin benign blog can careful cause caused changed cisco cisco® clean clear come common company conducted contacted containing cost could’ve created customer customer’s customers deeper defense describes detected detection determined did different does download due during efforts emerged encountered endpoint endpoints environment events exchange executive expanded families far fifty file files filtered first formerly freeware frequently from further has hashes have hidden high hundred immediate important incident include increased indicated indicating indicative infected infection infections infrequent initial install intelligence interaction interactive investigating investigation investigations irp it’s known labs layers layout likely limitations limited linked list machines malicious malware managed many may measure medium monetary more mtdr multiple nearly necessary network not notified one open optional organized original originally osint other otx over packages particularly per piece pieces plan platform posted precautionary price primary programs prompt propagating protected provide provided quarantine raised rather real recent related remediation remove report reported response review root secure security series set several severity single sites soc software some source spyware start stories such summary support suspected team these threat threats through time toolbars trojans two typically updated updates upon use uses using usm varying well which who will within working world worse |
Tags |
Malware
Threat
|
Stories |
|
Notes |
|
Move |
|