While monitoring a client in the financial industry, our analysts were alerted to an unusual pattern of failed attempts to log into a system. Failed log-ins are common and not usually indicative of malicious activity. Users often forget their passwords, particularly in the summer months after coming back from an extended vacation.

However, upon further inspection and analysis, one of our Ankura InterXeptor analysts recognized that the username being entered for one of the accounts did not follow the company’s usual naming convention. Forgetting a password is one thing, but forgetting your username is more unusual. Furthermore, the analyst noticed the originating and destination IP addresses had not previously been seen connecting. The analyst quickly conferred with the client and determined this activity was part of a password spraying attack. Ankura immediately blocked traffic to and from the observed IP addresses and advised the client to require a password change for the targeted user accounts.

Ankura was engaged to conduct threat hunting activities for a financial services client experiencing unusual network activity. Our analysts implemented custom detection rules to spot tactics, techniques, and procedures (TTP) known to be used by the types of sophisticated threat actors who would likely target this client. The custom detection rules alerted on a small number of anomalous Powershell (PS) executions.

The use of PS by itself is not unusual in Microsoft Windows environments. However, the manner in which the PS commands were executed was unusual, and triggered further scrutiny. Upon inspection, our analysts determined the suspect PS command execution occurred only on a small number of machines and was in fact a covert “beacon” (a communication method) set up by a threat actor to maintain persistent access to the victim network and enable ongoing communication with the attacker’s command and control server. The destination sites used by the threat actor were named to resemble the client’s legitimate sites so as to evade network traffic detection. Furthermore, our analysts determined the PS commands were designed to appear like routine software upgrades.

Based on the above findings, our Ankura InterXeptor analysts reached out to the client to confirm. Upon further checking by the client, it was ultimately determined that an attacker had gained initial access through a successful spear phishing campaign. Ankura’s incident responders rapidly responded to fully investigate, contain, and remediate the attack before there was any impact to business operations or data integrity.

While monitoring a client in the manufacturing industry, our analysts received an alert that a netscan program execution was attempting to run but was denied by our custom preventive rules. Netscan tools are often used legitimately by IT staff to discover new devices connecting to the network, and and therefore such activity is often ignored by inexperienced analysts.

However, knowing that network scanning tools are also used by threat actors for reconnaissance purposes, the Ankura team launched an investigation and discovered the scanning was executed from an unusual location on the network. Because of this, our Ankura InterXeptor analysts carried out an additional investigation and discovered more suspicious artifacts in the same location. We reported this to the client, who confirmed the activity was not authorized.

In the end, it was determined this was the work of a cyber threat actor who was conducting reconnaissance on the client’s network to prepare for additional attack/penetration into the client’s environment. The threat actors’ reconnaissance activities were disrupted and stopped due to our analysts’ findings.