Countering Destruction to Save a Business
A healthcare technology company (the Client) suffered a wide-scale destructive compromise after an attacker targeted the Client’s backend point of sale technology and deleted all customer data.
In addition to the primary forensics firm that was called in to assess the breach and damage, we were called to help recover the stolen data and determine if the data was being sold online in any malicious forums or published to publicly embarrass the client. The Client did not have appropriate disaster recovery and the backups were encrypted; therefore the Client’s customers (individual outlet retail stores) were missing all their customer data. Our unique value lied in our ability to use external data and conduct an investigation outside the Client’s network, while the forensics firm assisted with remediation of the breach.
The destructive attack occurred from a SQL injection attack against the Client’s frontend PHP code allowing the attacker access to their backend cloud infrastructure and backups storing all sensitive client data. We accessed the Client’s environment in coordination with the forensics company doing the breach response, where we found vital clues to start looking for external servers that might have held the Client’s data.
Using this information, we leveraged our external telemetry not available to the Client to determine the data was copied on external servers in a foreign country that were being controlled via the TOR anonymity network. We contacted the virtual private server (VPS) provider who informed us of other servers maintained by the provider and used by the attacker that held more customer data than was previously discovered during the initial forensics investigation.
After analysis of the forensics copy of the servers the attacker was using, we determined the attacker was preparing an ecommerce website attached to bitcoin wallets where the attacker intended to propagate the stolen data, creating a public relations nightmare for the client. Meanwhile, the attacker had all the data stored and archived when the client originally assumed the attacker had deleted the data.
In close coordination with Client’s outside counsel, as a result of our continued investigation over six months, the Client was able to frustrate the attacker long enough to repair their code, recover their customer data, and prevent reputational damage and legal action that may have put the Client out of business.
In addition, our investigations determined that the Client was continuously targeted likely by the same attacker and the attack was not a target of opportunity. The company was able to use the context of these targeted attacks to gain insurance coverage for not only the breach and appropriate third-parties, but also for remediation costs to build a more secure cloud environment.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact firstname.lastname@example.org