Sometimes when we talk about cybersecurity, it can feel a little intangible, with theory tending to dominate what we read about it. Learning from real-life instances can often be the best education. Therefore, the Security Operations Center (SOC) team of analysts at AT&T Cybersecurity makes it a priority to document certain security incidents for the community to learn from. The following story is a real security incident uncovered by AT&T Cybersecurity SOC analysts. It is part of a larger series that aims to provide insight from the frontline of cybersecurity, including what triggered alarms for indicators of compromise, the investigation process, the APT actors behind the attack, and the responses and defense tactics to remediate the threat.
Welcome to Tales from the SOC.
This first story delves into how one organization downloaded freeware and got more than it bargained for.
Recently, the AT&T Cybersecurity Managed Threat Detection and Response SOC analyst team was alerted to a customer that regularly leverages freeware — or software that is made available through no monetary cost to the user.
While freeware can be helpful, there are drawbacks to it — including a lack of updates to the software, little to no user support, and the high possibility of malicious content being embedded within it. Moreover, freeware often needs additional software packages that can contain malware, trojans, spyware and adware.
The customer was found to have malware on its systems that was discovered initially by an advanced malware protection solution for endpoints. At an early stage in the discovery, it was deemed medium severity and non-threatening.
Furthermore, the malware had already been reported across open-source intelligence (OSINT) channels as known, clean files. Precautions were made, but at first glance, there was no cause for alarm.
However, additional malware discoveries were soon reported across the organization’s system which raised several alarms. In fact, almost 200 events that were malware-related had been raised, which indicated the malware was quickly propagating.
After deeper investigations, the SOC team gathered enough intelligence to determine the freeware was the cause for the spread of the malware, which had infected 50 machines and files. As a result, the severity level was raised from medium to high. Like firefighters reacting to the alarm, security personnel mobilized for an immediate response to the infected systems. The affected machines were quarantined to prevent the continued spread of the threat while carrying out remediation.
There will always be risks associated with those that use freeware and because this particular customer regularly downloads freeware, incidences where malware is discovered have become common. The SOC team conducted a thorough analysis to establish the root cause for this particular malware infection and uncovered that the infected freeware had come from a toolbar created by an interactive advertising company.
The customer was given the investigation report as well as steps that could be actioned in line with the incident response plan to have the malware infected files removed.
It was fortunate the customer had security monitoring in place to automatically detect the malware threat. These additional security layers are crucial when every second counts and can buy the time needed to respond with an effective defense. This can make the difference between a cyberattack destroying a system and being able to remediate it quickly. Had these systems not been in place, this malware incident could have been far more costly.