Irony Strikes

Crypto Mining in a Financial Institution

  • Back to War Stories
  • Service Provided:
    Red Team Engagement
  • Client Industry:
    Financial Services
  • Company Size:
    +500 Employees

Engagement Overview:

The engagement was initiated with a financial institution that had a significant online presence and a vast network infrastructure. The scope of the engagement was to perform a Red Team operation, simulating a real-world attack scenario to test the organization's security posture. The primary focus was on the institution's digital assets, including their online banking platform, mobile applications, and backend servers. The goal was to identify any potential vulnerabilities that could be exploited by malicious actors, and to assess the effectiveness of the institution's existing security measures and incident response capabilities.

Our Approach:

Our team began the engagement with a comprehensive reconnaissance phase, gathering as much information as possible about the client's digital assets. We then proceeded to perform a series of penetration tests, simulating real-world attack scenarios to identify potential vulnerabilities. During our research, we came across a recently announced unauthenticated remote code execution (RCE) vulnerability that was relevant to one of the client's web applications. We dedicated a significant amount of time to understand the vulnerability in depth, studying the technical details and the potential impact it could have on the client's systems. Leveraging our expertise, we developed our own proof of concept (PoC) to exploit this vulnerability. The PoC was successful, leading to the compromise of the web application.
As we were performing enumeration on the compromised web application, planning for a complete system compromise before moving on to lateral movement exercises, we discovered an oddly named service running on the system. Around the same time, we also discovered a rogue web-shell on the system. These discoveries were unexpected and immediately raised red flags. We promptly informed the client about our findings, which led to the immediate termination of the Red Team engagement and the initiation of an incident response investigation by the client. This incident response investigation was crucial in understanding the extent of the compromise and in taking the necessary steps to remediate the vulnerabilities and secure the client's systems.

Engagement Outcome:

Upon discovery of the rogue service and web-shell, the client immediately initiated an extensive incident response investigation. Despite the absence of any relevant logs in their Security Operations Center's (SOC) Splunk instance, they were able to uncover logs on the local system itself. These logs, dating back three years prior to our engagement, provided invaluable insights into the extent and duration of the compromise.
Although the Red Team engagement had officially concluded, our collaboration with the client did not. We continued to work closely with them in the aftermath of the discovery, providing guidance and support during this critical period. Our first priority was to ensure that the exploited vulnerability was properly patched and remediated, eliminating the immediate threat to the client's systems.
We also worked directly with the client's SOC to identify weak areas in their monitoring and detection capabilities. By analyzing the incident and the client's response, we were able to provide recommendations for improving their security posture and resilience against future attacks. Furthermore, we collaborated with their system administrators to identify other systems that might have similar artifacts, helping to ensure a comprehensive and thorough remediation process.
This engagement served as a stark reminder of the importance of continuous security monitoring and proactive threat hunting. It highlighted the value of Red Team engagements in uncovering hidden threats and vulnerabilities, and in strengthening an organization's security posture through real-world attack simulations.