Deploy Bravely — Secure your AI transformation with Prisma AIRS

Major European corporation disrupts nation-state APT attack

Upon discovering malware alerts, this client engaged Unit 42® to investigate the multistage APT attack and restore critical operations.

Results
Challenge
Outcomes
Get in Touch
Results
2hours

To identify and isolate affected servers

36hours

To provide complete recovery plan and roadmap

7days

From initial scoping to full recovery, including investigation

The Client

Large European transportation and logistics company

The Challenge

Initially, the organization saw malware alerts from two servers within the organization. The security team later learned that, by all indications, it was a nation-state APT mounting a multistage attack. The attacker exploited a vulnerable web application, deployed web shells, and stole sensitive data. Unit 42 was brought in to:

  • Provide a detailed understanding of the incident, including specific tools used.
  • Secure systems and provide remediation guidance.
  • Get business-critical functions operational fast.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

The client received alerts from its endpoint detection tool that malware was detected on two servers. The SOC isolated the servers and contacted Unit 42.

Investigate

Using Cortex XDR, Unit 42 identified the web application vulnerability, web shell deployment, brute-force activity, internal reconnaissance, credential dumping, and data theft.

Secure

Unit 42's immediate findings on web shells, attacker-created user accounts, and C2 infrastructure enabled the client to contain the threat actor.

Recover

Restored business critical operations in 7 days, eliminated persistence mechanisms, and reduced the likelihood of a recurrence.

Transform

Provided hardening recommendations for future security posture transformation, giving the client actionable steps to close gaps.

“Following Unit 42’s actions, our environment is now stable, secure, and under close monitoring. We’re beyond grateful for the quick support, collaboration, and detailed guidance throughout this engagement and recovery process.”

– Head of InfoSec

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

Days 0 – 1
Crisis Intervention

Client detected malware alerts and engaged Unit 42 to assess the initial situation and plan the investigation.

Determined on scoping call that the threat actor exploited a web application vulnerability and deployed numerous web shells in the environment.

Client isolated affected servers, preventing any immediate further compromise.

Days 2 – 6
Containment

Determined IoCs, use of privilege escalation tools, and network scanning activities.

Identified use of LOTL tools, brute-force attack on employee account, credential dumping, and data exfiltration.

Tracked data exfiltration, persistence mechanisms, and correlated activities with a known TA.

Day 7
Restoration

Completed remediation steps for an exposed port, and then took actions to remove web shells and the newly created user account.

Restored business-critical operations in 7 days.

Began providing hardening recommendations.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain, and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

SPEAK TO AN EXPERT TODAY

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform for in-depth visibility to find, contain, and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.

Get the latest news, invites to events, and threat alerts