Prevailion recently disclosed an active trojan compromise in the network of NCR Corporation.
We at Prevailion are extremely pleased that NCR has taken this matter seriously, including the engagement of an elite IR team, and we applaud them for their quick and diligent response to the compromise we detected inside their network. As with all impacted organizations, we were more than happy to provide NCR with the full details of the compromise activity that we observed through our ongoing C2 monitoring. We were in touch with NCR’s security team and IR team following SC Media’s initial report on this matter, in order to provide them with the full compromise intelligence they needed to address this active compromise.
While we are pleased with NCR’s security response, we disagree with some of the public comments they have made about this compromise and the subsequent malicious activity which we determined was active for over six months. In particular, NCR is claiming that they “have no evidence of actual command-and-control traffic leaving our network.” What NCR is overlooking is that these DNS requests are successfully being collected outside of their network, by us as well as the adversary. We are not the only ones seeing this call. It is likely calling to a round-robin of C2s. The reason why NCR may not see this as complete communications with the C2 is because Prevailion does not reply to the beacon requests. We simply passively collect them. Since there were no apparent resolutions to the DNS requests, there is no way NCR could determine these requests were successful. We at Prevailion do not currently respond to the DNS requests of malware.
At Prevailion, we do not scan corporate networks for signs of vulnerabilities, or monitor network traffic for potential malicious activity or other methods that are typically riddled with false-positives – all that we do, 100% of the time, is monitor criminal C2s for confirmed compromise activity. If we are receiving signals from an organization’s network, it is because that network has been compromised with malware that is actively communicating back to one of these criminal C2s. NCR is just one of over 20,000 organizations we are actively monitoring for confirmed compromise activity. To further explain: Prevailion relies exclusively on incoming beacons to identify victims associated with C2 infrastructure they have infiltrated. In the case of NCR, the malware was successful in communicating with a C2 which afforded Prevailion the means to identify NCR. Furthermore, the quantity of beacons (over 242,000 requests) coupled with the dwell time of the malware (over 180 days) lends to the severity of the situation and further qualifies this as a viable infection.
Our primary concern for NCR was that it had been compromised by a trojan which had remained highly active for over 180 days, with no evidence (that we could see, based on the ongoing beacon activity) of any successful attempt at remediating the compromise. Trojans pose a significant risk to any organization because of their ability to gain remote access to a network, spread laterally and install other payloads. This type of compromise needs to be addressed quickly, as the longer the dwell time, the more likely the trojan is to spread within that organization’s environment.
We will continue to provide any technical support that we can to NCR’s team, and we wish them the best.
Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure. But this attack came as no surprise to security experts. It was […]
Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports […]
Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned. Fast forward to […]