A small business recently came to SecureState with a big problem. An executive discovered that an unauthorized remote access tool (RAT) had been installed on his computer.
Upon searching, he found several other systems with the same software installed. They were able to identify the individual who installed the RAT and fired him immediately.
The company assumed the worst: confidential files had been stolen, malware had been installed, and the fired employee still had remote access to their systems.
They called the local police, who in turn engaged government investigators to examine the systems in question. For remediation and additional investigation, the lead agent recommended that the company contact our Incident Response Team.
Before really even beginning their investigation, we saw that this type of attack required very little sophistication, since the small company had computers running Windows Home edition. As such, systems were not properly password protected and each terminal had local admin privileges. Their current policy would allow anyone to sit down at any computer that is signed in and install software.
We then performed a Forensic Analysis of the systems in question, and in addition to the RATs, found several other malicious files. However, due to the basic setup of their computer systems and the time that had passed before being called in, we were unable to say for sure that confidential company files hadn’t been removed.
The IR Team was able to isolate and eradicate all malware and the RAT software from computers and servers. Even though assured their systems were now clean, management remained paranoid. Due to the small scale of the company, they chose the somewhat extreme step of purchasing all new equipment after this incident to ensure potential previous compromises would not continue to affect their environment.
We then shifted our focus to risk management, providing specific recommendations to prevent this from happening again. The recommendations for their environments were relatively simple and based around password management.
The company learned a hard lesson: even though being a small company means that typically there are less threats targeting you and you have a smaller footprint, it only takes one threat to exploit the extreme vulnerabilities they had.
Cross-posted from SecureState