Defense contractor contains APT with Unit 42 Incident Response expertise

A security breach at an organization that helps to keep the nation safe can have far-reaching consequences. When a US defense and technology manufacturing company learned that its systems had been compromised, it didn’t wait to act. The organization’s legal team reached out to Palo Alto Networks Unit 42 Incident Response team, requesting immediate help.

The situation was critical, as it directly threatened national security. Unit 42 began the investigation immediately and quickly determined that the attacker was still inside the company’s systems. Unit 42 needed to help stop the attack and also gain visibility into the scope, impact, and timeline. They wanted to find answers to questions such as:

• Who executed the breach?
• How did they gain access?
• Which systems were affected and how much data had been exfiltrated?
• What tactics did they use and how could they mitigate any vulnerabilities?

They had to move fast—with tools they could trust to deliver accurate visibility, data, and insight.

The high-stakes engagement required real-time threat intelligence alongside forensic analysis and advanced analytics. To accelerate the process, Unit 42 enlisted multiple in-house expert teams, including the Unit 42 Threat Intelligence team, and deployed Palo Alto Networks Cortex XDR® to improve visibility, analyze data, block actions, and remediate based on real-time indicators being collected.

Unit 42 aimed to uncover digital fingerprints that would identify the threat actor, how they got in, and what systems they had accessed. Amid an upsurge of state-sponsored attacks, the team needed to be sure about whom and what they were dealing with.

Leveraging live response data and offline collection capabilities, Unit 42 captured data from dozens of in-scope systems. They collected forensic images and performed threat-hunting queries through Cortex XDR to obtain key details and data points.

As they began to gather information, Unit 42 updated the client on their findings several times each day to keep the client in the know.

Early on, Unit 42 learned that the attacker had exploited a well-known vulnerability to commandeer multiple systems in one of the client’s cloud service provider (CSP) environments. The attacker uploaded web shells to vulnerable file servers and domain controllers, using them to gain unauthorized access.

Once inside, the attacker leveraged a VPN tunnel to connect from the CSP to the organization’s internal network. They were then able to connect to dozens of internal systems using compromised accounts.

Unit 42’s first major discovery was one of origin: The habits and patterns of the attacker matched that of a Chinese advanced persistent threat (APT) actor associated with the TiltedTemple campaign. Unit 42 also traced Remote Desktop Protocol (RDP) connections back to Chinese IP addresses. It was not the first time the team had seen this particular APT that prior knowledge allowed Unit 42 to identify it faster and mount a rapid response.

Uncovering a sophisticated plot

The attack was well underway when Unit 42 got involved. Quickly, it became clear the attack was not random; rather, the threat actor fully understood their target, planned to occupy the environment for the long haul, and intended to do further damage.

The criminals were using techniques that indicated a level of sophistication and planning and had already exfiltrated some data. Their tactics included:

• Installing web shells on compromised systems to maintain persistent remote access and copy malicious files onto the system.
• Leveraging a legitimate utility called a PowerShell to time-stamp older dates onto the web shells and thereby hide them in plain sight.
• Using living-off-the-land binaries (LOLBins) and normal system utilities (e.g., WMIC) to masquerade as normal files and distribute scripts across several internal systems. The scripts made copies of sensitive data, renamed the files with innocuous titles, and sent them back to China.

Unit 42 Incident Response experts moved swiftly to lock down the client’s systems, block further movement, and contain the breach. The Unit 42 Managed Threat Hunting and Threat Intelligence teams helped speed up progress.

Threat-hunting efforts focused on the telemetry, identifying the right indicators to use in the investigation and eviction.

The attacker was able to exfiltrate some data before the breach was identified. However, as Blanca notes, “Without the fast-acting experts from Unit 42, much more data would have been lost. We limited the amount of data the attacker was able to take.”

Unit 42 utilized Cortex XDR to rapidly contain the incident. Cortex XDR delivers extensive visibility into cyberattacks, providing real-time indicators and behavioral cues that augmented the findings of Unit 42’s Threat Intelligence teams. Armed with this functionality, Unit 42 was able to:

• Evict the threat actor from the client environment. VPN sessions were terminated to remove the attacker from the client’s systems.
• Eliminate potential points of entry. After the client did a global reset on its passwords, it decommissioned and rebuilt systems that had been compromised.
• Remove all traces of malware. Unit 42 set to work removing web shells and other malicious code the attacker had installed.
• Understand the full impact of the attack. Once the threat was neutralized, Unit 42 focused on defining the scope of the incident and related data loss. The team used the forensic-level data it gathered to enrich threat actor profiles and support future efforts.
• Document the findings. Unit 42 created a comprehensive report for the client that included the vulnerabilities the attacker used to gain access, the tactics it took to exfiltrate data, the ways it moved across systems, and more. These insights allowed the company and its legal counsel to take appropriate actions.

At the beginning of the engagement, the client and its legal team braced themselves for bad news.

“The day they learned about the attack was the worst day of their lives,” recalls Blanca. “Unit 42 helped them develop a plan that kept them calm and collected so they could stay focused on the goal.”

From start to finish, Unit 42 took a week and a half to identify, contain, and remediate the attack—a remarkably short timeline, given the complexity of the incident.

Unit 42 worked with the client to bring systems in its network back online as quickly as possible. It was important to prioritize critical systems while maintaining a sense of stealth to avoid setting off alarms. As systems were restored, the company resumed business as usual with minimal disruption.

With the bulk of the work accomplished, Unit 42 set out to answer the client’s next question: “What happens next time we’re attacked?”

Unit 42 provided a number of recommendations, from adopting security hygiene practices to implementing multifactor authentication (MFA). It also installed Cortex XDR to act as a unified SecOps platform for stopping future attacks, giving the client a high degree of confidence around what is happening inside its systems.

With Unit 42 as a trusted partner, along with greater visibility and fewer blind spots, the client is well-positioned to continue doing its important work.

Palo Alto Networks Unit 42® brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that is passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.

If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit start.paloaltonetworks.com/contact-unit42.html to connect with a team member.

Under attack?

If you’re concerned you’ve been affected by an APT attack and/or the TiltedTemple campaign, Unit 42 is ready to help assess your risk and remediate the incident. Call us at North America toll free: +1.866.486.4842 (+1.866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200, or get in touch by visiting start.paloaltonetworks.com/contact-unit42.html.