A financial firm was hit with a phishing email that included a malicious Word® Doc attachment. An employee inadvertently infected the computer system after clicking on the attachment. The firm’s updated antivirus software was unable to detect the malicious attachment, allowing it to make modifications. Once infected, the computer system connected to a domain in Asia, receiving command and control (C&C) instructions from the attacker and the redundant capability of the malware allowed it to beacon out to other malicious hosts worldwide.
The attacker then further infected the system by pivoting to the firm’s other internal assets. Password sniffing tools, remote access tools and scanning tools were all observed on this specific host through our endpoint monitoring agent. Since all of these steps are automated, the attacker is able to perform them in a matter of minutes.
The reason you haven’t heard of this firm’s compromise in the news is that this financial firm implemented Cybersafe’s Threat Monitoring Service (Network & Endpoint Security Monitoring). Our security operations team quickly observed the anomalous traffic caused by the malware beaconing out to the internet. Although an attacker was able to compromise and remotely control an internal computer system belonging to this financial firm, no lasting damage was done since our ability to rapidly respond to threat prevented access to sensitive customer and investor data.
Managed Detection Response and Containment Services, learn more >