Employee Fired for Spying on Management with RAT

Wednesday, August 08, 2012

Jeremy Sobeck


A small business recently came to SecureState with a big problem. An executive discovered that an unauthorized remote access tool (RAT) had been installed on his computer.

Upon searching, he found several other systems with the same software installed. They were able to identify the individual who installed the RAT and fired him immediately.

The company assumed the worst: confidential files had been stolen, malware had been installed, and the fired employee still had remote access to their systems.

They called the local police, who in turn engaged government investigators to examine the systems in question. For remediation and additional investigation, the lead agent recommended that the company contact our Incident Response Team.

Before really even beginning their investigation, we saw that this type of attack required very little sophistication, since the small company had computers running Windows Home edition. As such, systems were not properly password protected and each terminal had local admin privileges. Their current policy would allow anyone to sit down at any computer that is signed in and install software.

We then performed a Forensic Analysis of the systems in question, and in addition to the RATs, found several other malicious files. However, due to the basic setup of their computer systems and the time that had passed before being called in, we were unable to say for sure that confidential company files hadn’t been removed.

The IR Team was able to isolate and eradicate all malware and the RAT software from computers and servers. Even though assured their systems were now clean, management remained paranoid. Due to the small scale of the company, they chose the somewhat extreme step of purchasing all new equipment after this incident to ensure potential previous compromises would not continue to affect their environment.

We then shifted our focus to risk management, providing specific recommendations to prevent this from happening again. The recommendations for their environments were relatively simple and based around password management.

The company learned a hard lesson: even though being a small company means that typically there are less threats targeting you and you have a smaller footprint, it only takes one threat to exploit the extreme vulnerabilities they had.

Cross-posted from SecureState

Possibly Related Articles:
Security Awareness
Information Security
Enterprise Security Insider Threats malware Security Awareness Access Control Attacks Employees Investigation Remote Access Trojan
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.