A Note on the Trojan Compromise of NCR Corporation
Prevailion recently disclosed an active trojan compromise in the network of NCR Corporation.
We at Prevailion are extremely pleased that NCR has taken this matter seriously, including the engagement of an elite IR team, and we applaud them for their quick and diligent response to the compromise we detected inside their network. As with all impacted organizations, we were more than happy to provide NCR with the full details of the compromise activity that we observed through our ongoing C2 monitoring. We were in touch with NCR’s security team and IR team following SC Media’s initial report on this matter, in order to provide them with the full compromise intelligence they needed to address this active compromise.
While we are pleased with NCR’s security response, we disagree with some of the public comments they have made about this compromise and the subsequent malicious activity which we determined was active for over six months. In particular, NCR is claiming that they “have no evidence of actual command-and-control traffic leaving our network.” What NCR is overlooking is that these DNS requests are successfully being collected outside of their network, by us as well as the adversary. We are not the only ones seeing this call. It is likely calling to a round-robin of C2s. The reason why NCR may not see this as complete communications with the C2 is because Prevailion does not reply to the beacon requests. We simply passively collect them. Since there were no apparent resolutions to the DNS requests, there is no way NCR could determine these requests were successful. We at Prevailion do not currently respond to the DNS requests of malware.
At Prevailion, we do not scan corporate networks for signs of vulnerabilities, or monitor network traffic for potential malicious activity or other methods that are typically riddled with false-positives – all that we do, 100% of the time, is monitor criminal C2s for confirmed compromise activity. If we are receiving signals from an organization’s network, it is because that network has been compromised with malware that is actively communicating back to one of these criminal C2s. NCR is just one of over 20,000 organizations we are actively monitoring for confirmed compromise activity. To further explain: Prevailion relies exclusively on incoming beacons to identify victims associated with C2 infrastructure they have infiltrated. In the case of NCR, the malware was successful in communicating with a C2 which afforded Prevailion the means to identify NCR. Furthermore, the quantity of beacons (over 242,000 requests) coupled with the dwell time of the malware (over 180 days) lends to the severity of the situation and further qualifies this as a viable infection.
Our primary concern for NCR was that it had been compromised by a trojan which had remained highly active for over 180 days, with no evidence (that we could see, based on the ongoing beacon activity) of any successful attempt at remediating the compromise. Trojans pose a significant risk to any organization because of their ability to gain remote access to a network, spread laterally and install other payloads. This type of compromise needs to be addressed quickly, as the longer the dwell time, the more likely the trojan is to spread within that organization’s environment.
We will continue to provide any technical support that we can to NCR’s team, and we wish them the best.