The First Investigation: Uncovering the First Clues
Introduction:
Cybersecurity breaches often expose critical gaps in an organisation’s defences, leading to prolonged vulnerabilities if not properly addressed.
As a PCI Forensic Investigator (PFI), my role involves delving into complex security breaches, uncovering their root causes and ensuring containment of the respective incident. Recently, I was tasked with a complex case at “Joe’s Retail”, a company that had endured multiple security breaches over two years. This three part series will explore the intricate details of our investigation, beginning with the initial findings, oversights and lessons learned from the previous investigations.
The First Investigation: A Partial Discovery
In 2022, Joe’s Retail was requested to perform an Independent Investigation following a Common Point of Purchase (CPP) report from a card brand. A CPP report indicates that multiple fraudulent transactions were traced back to a common source, suggesting a potential breach - while it is not an exact science, it is typically fairly accurate from my experience. Due to the small size of the organisation, only an Independent Investigation was requested; also known as acquirer led investigations. These investigations are typically focused on the merchant’s rapid recovery and do not apply the depth of a PFI investigation, additionally, they are not part of a formally mandated program; they lack in certain departments as is clearly apparent through this blog series.
Joe’s Retail promptly engaged with a listed PFI firm to investigate. The team conducted their analysis and identified a piece of malware affecting the system. They removed this malware and recommended that plugins be updated, believing they had addressed the issue and contained the breach; however, this was later confirmed by Foregenix not to be the case.
Six Key Findings following a Common Point of Purchase (CPP) report from a card brand and Critical Oversights:
-
Lack of Security Measures:
Joe's Retail had multiple security measures that were only partially in place. They had a Web Application Firewall (WAF) but were not monitoring or reviewing critical alerts - it was also only in an alerting state so provided zero preventative measures. The admin panel was publicly available at the default location without Multi-Factor Authentication (MFA). These gaps made the environment vulnerable to attacks.
-
Discovery of a PHP Backdoor:
The investigation team identified a PHP backdoor on Joe's Retail’s single server. This type of malware is designed to provide unauthorised remote access to the compromised system. The backdoor enabled the attacker to maintain control over the compromised server, facilitating further malicious activities.
-
Missed Second Malware:
While the team successfully identified and removed one piece of malware, they failed to detect a second piece of malware (very similar to that already identified). This oversight left the environment vulnerable.
-
Surface-Level Analysis:
It is assumed that the investigation primarily focused on immediate threats and did not delve deeper into the system logs or network traffic, which would have revealed further malicious activity.
-
Failure to Review Web Access Logs:
A critical oversight was the failure to thoroughly review the web access logs. These logs are essential for understanding the scope of the attack and identifying unauthorised access patterns. If the team had analysed these logs, they would have noticed the attacker(s) accessing the admin panel, which was a significant indicator of compromise and provided a crucial lead for further investigation.
-
Lack of Continuous Monitoring:
Without continuous monitoring, the team missed the ongoing suspicious activities. The absence of robust monitoring systems allowed the undetected malware to remain active.
Four Lessons Learned from the 1st investigation:
-
Comprehensive Evidence Collection:
Effective investigations require a comprehensive collection of evidence. Limiting the scope to file-level data without examining broader system activity can result in missed threats. Extended log data and thorough system analysis provide a more complete picture of the attack and the attacker's methods.
-
Scanning:
Effective investigations require advanced tools capable of detecting both known and unknown malware. Signature-based detection alone is insufficient.
-
In-Depth Analysis:
An investigation should include detailed log analysis and network traffic review to uncover hidden threats.
-
Continuous Monitoring:
Implementing continuous monitoring can provide early detection of suspicious activities, enabling a quicker response to threats.
Conclusion:
The first investigation at Joe’s Retail in 2022 highlighted significant oversights that allowed the attacker(s) to maintain a persistent foothold within the environment. This initial failure set the stage for further complications, which we will explore in the next post.
Stay tuned… as we delve into the second investigation, which uncovered more but still fell short of resolving the core issue.
