A Note on the Trojan Compromise of NCR Corporation

Wells Fargo image

Prevailion recently disclosed an active trojan compromise in the network of NCR Corporation.

We at Prevailion are extremely pleased that NCR has taken this matter seriously, including the engagement of an elite IR team, and we applaud them for their quick and diligent response to the compromise we detected inside their network. As with all impacted organizations, we were more than happy to provide NCR with the full details of the compromise activity that we observed through our ongoing C2 monitoring. We were in touch with NCR’s security team and IR team following SC Media’s initial report on this matter, in order to provide them with the full compromise intelligence they needed to address this active compromise.

While we are pleased with NCR’s security response, we disagree with some of the public comments they have made about this compromise and the subsequent malicious activity which we determined was active for over six months. In particular, NCR is claiming that they “have no evidence of actual command-and-control traffic leaving our network.” What NCR is overlooking is that these DNS requests are successfully being collected outside of their network, by us as well as the adversary. We are not the only ones seeing this call. It is likely calling to a round-robin of C2s. The reason why NCR may not see this as complete communications with the C2 is because Prevailion does not reply to the beacon requests. We simply passively collect them. Since there were no apparent resolutions to the DNS requests, there is no way NCR could determine these requests were successful. We at Prevailion do not currently respond to the DNS requests of malware.

At Prevailion, we do not scan corporate networks for signs of vulnerabilities, or monitor network traffic for potential malicious activity or other methods that are typically riddled with false-positives – all that we do, 100% of the time, is monitor criminal C2s for confirmed compromise activity. If we are receiving signals from an organization’s network, it is because that network has been compromised with malware that is actively communicating back to one of these criminal C2s. NCR is just one of over 20,000 organizations we are actively monitoring for confirmed compromise activity. To further explain: Prevailion relies exclusively on incoming beacons to identify victims associated with C2 infrastructure they have infiltrated. In the case of NCR, the malware was successful in communicating with a C2 which afforded Prevailion the means to identify NCR. Furthermore, the quantity of beacons (over 242,000 requests) coupled with the dwell time of the malware (over 180 days) lends to the severity of the situation and further qualifies this as a viable infection.

Our primary concern for NCR was that it had been compromised by a trojan which had remained highly active for over 180 days, with no evidence (that we could see, based on the ongoing beacon activity) of any successful attempt at remediating the compromise. Trojans pose a significant risk to any organization because of their ability to gain remote access to a network, spread laterally and install other payloads. This type of compromise needs to be addressed quickly, as the longer the dwell time, the more likely the trojan is to spread within that organization’s environment.

We will continue to provide any technical support that we can to NCR’s team, and we wish them the best.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.