Case Study: CYDEF detects Cobalt Strike payload

Who

Large company in a high-tech industry

What

An employee for a large company in a high-tech industry made an honest mistake and installed out of date software. The version he installed included a remote exploit that allows anyone to gain control of the machine.

On top of that, the employee didn’t follow the correct procedure, and installed it so that the software was running on his account, which had Domain Admin access. With that level of privileges, this was especially risky behavior.

The threat here is that as soon as an attacker gains access to a machine through this software, they would have full control over the entire domain. Even though it would take some time to actually do anything with that level of access, this is highly dangerous for the organization.

An attacker did gain control of the machine in question and then dropped a Cobalt Strike payload, which is a commercially available pen testing software commonly used by ransomware groups. It allows them to dump passwords, discover machines, and expand control over the network.

Since the infected machine was Internet-facing, it was in the organization’s DMZ. The criminal was actively looking to expand his access, moving across the DMZ to other machines.

This incident was a ticking time bomb. It was just a matter of time until the attacker found a machine that would allow them to pivot to the back end and gain control of everything, which could have also then spread to their customers.

Response

We detected this incident very early on in the process. At that time, the criminal had compromised only three machines. We escalated the incident quickly and performed emergency containment to prevent expansion beyond those three infected devices.

Results

Our customer was able to limit the damage and only had to remediate those three machines, instead of being locked out of their entire system.

In addition to the detection and containment provided with our standard service, the customer engaged CYDEF for Incident Response services. Since the scope was limited to only three devices and the incident was cleaned up very quickly, the cost of our professional services was fairly inexpensive.

Savings

A conservative estimate for a ransomware attack such as this one would have been in the millions of dollars. If the incident had been found later, this could have cost the customer upwards of $250,000 in Incident Response fees alone.

Moreover, the impact to the company’s reputation could have been catastrophic, risking putting them out of business due to loss of trust with their customers.

Learn more

To learn how CYDEF can help protect your organization from cyber threats, contact us today at info@cydef.ca or (343) 944-5098.