A Note on the Trojan Compromise of NCR Corporation

Wells Fargo image
28 August 2020

Prevailion recently disclosed an active trojan compromise in the network of NCR Corporation.

We at Prevailion are extremely pleased that NCR has taken this matter seriously, including the engagement of an elite IR team, and we applaud them for their quick and diligent response to the compromise we detected inside their network. As with all impacted organizations, we were more than happy to provide NCR with the full details of the compromise activity that we observed through our ongoing C2 monitoring. We were in touch with NCR’s security team and IR team following SC Media’s initial report on this matter, in order to provide them with the full compromise intelligence they needed to address this active compromise.

While we are pleased with NCR’s security response, we disagree with some of the public comments they have made about this compromise and the subsequent malicious activity which we determined was active for over six months. In particular, NCR is claiming that they “have no evidence of actual command-and-control traffic leaving our network.” What NCR is overlooking is that these DNS requests are successfully being collected outside of their network, by us as well as the adversary. We are not the only ones seeing this call. It is likely calling to a round-robin of C2s. The reason why NCR may not see this as complete communications with the C2 is because Prevailion does not reply to the beacon requests. We simply passively collect them. Since there were no apparent resolutions to the DNS requests, there is no way NCR could determine these requests were successful. We at Prevailion do not currently respond to the DNS requests of malware.

At Prevailion, we do not scan corporate networks for signs of vulnerabilities, or monitor network traffic for potential malicious activity or other methods that are typically riddled with false-positives – all that we do, 100% of the time, is monitor criminal C2s for confirmed compromise activity. If we are receiving signals from an organization’s network, it is because that network has been compromised with malware that is actively communicating back to one of these criminal C2s. NCR is just one of over 20,000 organizations we are actively monitoring for confirmed compromise activity. To further explain: Prevailion relies exclusively on incoming beacons to identify victims associated with C2 infrastructure they have infiltrated. In the case of NCR, the malware was successful in communicating with a C2 which afforded Prevailion the means to identify NCR. Furthermore, the quantity of beacons (over 242,000 requests) coupled with the dwell time of the malware (over 180 days) lends to the severity of the situation and further qualifies this as a viable infection.

Our primary concern for NCR was that it had been compromised by a trojan which had remained highly active for over 180 days, with no evidence (that we could see, based on the ongoing beacon activity) of any successful attempt at remediating the compromise. Trojans pose a significant risk to any organization because of their ability to gain remote access to a network, spread laterally and install other payloads. This type of compromise needs to be addressed quickly, as the longer the dwell time, the more likely the trojan is to spread within that organization’s environment.

We will continue to provide any technical support that we can to NCR’s team, and we wish them the best.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2022 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.