Irony Strikes
Crypto Mining in a Financial Institution
Service Provided
Network Penetration Testing
Client Industry
Financial Services
Company Size
10k+ Employees
Engagement Overview
During a routine network penetration testing engagement with a major financial services client, our team uncovered something far more significant than the typical vulnerabilities we were tasked to find. What began as a standard assessment quickly evolved into a full-scale incident response as we discovered evidence of a long-standing compromise.
Our Approach
Our team initiated the engagement using standard network penetration testing methodologies. After gaining initial access through a newly disclosed vulnerability in one of the client's internet-facing systems, we began to explore the internal network to understand the extent of potential exposure.
During our post-exploitation activities, we noticed unusual system behavior on one of the compromised hosts. CPU utilization was abnormally high, and there were strange network connections to external IP addresses. Further investigation revealed the presence of cryptocurrency mining software running covertly on the system.
This discovery was alarming - it meant that someone else had already compromised the client's systems before our engagement. The presence of a crypto miner indicated that an attacker had maintained persistent access to the network, using the client's computing resources for their own financial gain.
We immediately escalated our findings to the client's security team and pivoted our engagement from penetration testing to incident response support. Our investigation revealed that an Advanced Persistent Threat (APT) group had established multiple backdoors throughout the network, some of which had been active for years without detection.
Engagement Outcome
Working alongside the client's incident response team, we helped identify all compromised systems and map the full extent of the breach. The attackers had established persistence mechanisms across dozens of servers and workstations, with access to sensitive financial data and customer information.
Our team assisted in the development and execution of a comprehensive remediation plan, including the removal of all malicious software, patching of exploited vulnerabilities, and implementation of enhanced monitoring capabilities to detect similar threats in the future.
The irony of discovering a crypto mining operation during a financial institution's security assessment was not lost on anyone involved. However, this engagement highlighted the critical importance of regular penetration testing - not just to find potential vulnerabilities, but to potentially uncover active compromises that may have gone undetected by traditional security controls.