Countering APTs, Ensuring M&A Standards Through Threat Hunting

by | Apr 9, 2020 | Case Study, Outside Intel

The Challenge

A global retailer’s (the Client) peers were attacked with customized ransomware and the retailer’s subsidiaries were being targeted with customized phishing attempts.

Why Nisos

Out of concern that a subsidiary could be targeted by a similar ransomware attack, Nisos was retained to meet the following objectives for each subsidiary:

  • Hunt for evidence of an active threat actor in the environment.
  • Identify coverage gaps that restrict the ability to threat hunt.
  • Document knowledge of the environment; topology, security stack, size, geographic locations, etc.
  • Document quick wins for risk reduction, by identifying vulnerabilities or misconfigurations


Nisos analysts conducted a broad-spectrum threat hunt using a variety of Client internal corporate detection systems, third-party data sets and OSINT-derived data in an attempt to identify malicious actors present inside of the subsidiary network.

Nisos analysts took the following approach towards meeting the engagement objectives:

    • Gather contemporary botnet and other malware-related indicators of compromise (file hashes, URLs, and IP addresses) from open source reporting and commercial threat intelligence feeds.
    • Hold an information discovery meeting with technical POCs from each subsidiary to get a high-level understanding of the network and controls available for threat hunting.
    • Review external network traffic for suspected botnet and other anomalous traffic. Search our datasets for traffic to the IOCs gathered.
    • Given access to internal data sources (EDR logs, firewall logs, proxy logs, etc.), hunt for IOCs and TTPs common to ransomware attacks.
    • Perform internal scanning to identify misconfigurations and/or vulnerabilities that would increase the likelihood of a successful ransomware attack.
    • Provide a list of any subsidiary accounts and provide any accounts found in public credential dumps.


Nisos found strong evidence of compromise and indications of recent malware and eCrime activity mostly involving credential harvesting (Isrstealer, minerpanel, quant, etc.) in several office locations. However, none of these indicators suggested a coordinated ransomware attack. We also identified compromised domain account credentials for a subsidiary in publicly available breach datasets.

Nisos found several unpatched machines, vulnerable to publicly available exploits (EternalBlue, BlueKeep, etc) that could be leveraged by an attacker to gain complete control of corporate domains and critical systems. Contemporary ransomware, botnet and cryptominer malware operators use these vulnerabilities to expand their presence inside of targeted corporate networks.


The Client had long been concerned that visibility gaps at recent acquisitions and subsidiaries could bring considerable reputational damage to the business if significant compromise took place. This particular hunt provided actionable intelligence and allowed the security team to commit additional resources to bring subsidiaries into alignment with corporate security policy.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks