{"id":4442,"date":"2022-03-29T18:09:02","date_gmt":"2022-03-29T18:09:02","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4442"},"modified":"2023-09-21T16:47:16","modified_gmt":"2023-09-21T16:47:16","slug":"fortgale-incident-response-eradicating-wannamine-restoring-security","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/defence\/fortgale-incident-response-eradicating-wannamine-restoring-security\/","title":{"rendered":"Eradicating WannaMine and Restoring Corporate Security"},"content":{"rendered":"\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 41%\"><div class=\"wp-block-media-text__content\">\n<p>In 2021, Fortgale conducted an <strong>Incident Response<\/strong> operation to eradicate the WannaMine malware from the systems of an Italian company operating in the industrial sector. The malware proliferated across several hundred systems, exploiting a variety of propagation techniques.<\/p>\n\n\n\n<p>Upon installation, <strong>WannaMine <\/strong>initiates cryptocurrency mining activities, leading to substantial disruptions in the company&#8217;s operations due to the overutilization of resources on compromised servers and workstations.<\/p>\n\n\n\n<p>Fortgale orchestrated the<strong> Incident Response activities<\/strong>, successfully eliminating the malware from the affected infrastructure.<\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"562\" height=\"728\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/03\/WannaMine_Incident-Response-Report.png\" alt=\"WannaMine Incident Response\" class=\"wp-image-4451 size-full\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/WannaMine_Incident-Response-Report.png 562w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/WannaMine_Incident-Response-Report-232x300.png 232w\" sizes=\"(max-width: 562px) 100vw, 562px\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-buttons alignfull is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button has-custom-width wp-block-button__width-50 has-custom-font-size is-style-outline has-medium-font-size is-style-outline--1\"><a class=\"wp-block-button__link has-white-color has-text-color has-background wp-element-button\" href=\"https:\/\/fortgale.com\/contatti\/\" style=\"border-radius:89px;background:linear-gradient(135deg,rgb(0,27,59) 0%,rgb(0,54,121) 100%)\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Get access to full Report<\/strong><\/a><\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n\n\n<p><strong>Key Operations Conducted by Fortgale for Incident Management:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct a risk assessment to gauge the level of threat to the organization<\/li>\n\n\n\n<li>Determine the methods through which the infrastructure was compromised<\/li>\n\n\n\n<li>Develop TTPs (Tactics, Techniques, and Procedures) essential for organizing an efficient and effective response<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Identification of Cyber-Criminals (Threat Actors) within the Corporate Perimeter<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify systems under criminal control<\/li>\n\n\n\n<li>Identify user accounts exploited for Lateral Movement within the network<\/li>\n\n\n\n<li>Determine the methods used for gaining access to the infrastructure<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Identification of the Offensive Structure (C2, IP addresses, domains)<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\">Implementation of Blocks<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limit or prevent further unauthorized access to the network<\/li>\n\n\n\n<li>Thwart ongoing offensive operations by the threat actors<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Identification of Compromised Systems<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\">Removal of Criminal Persistence from the Company\u2019s Network<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eliminate malware from affected systems<\/li>\n\n\n\n<li>Restore corporate IT services to full operational status<\/li>\n\n\n\n<li>Terminate communication channels (C2) utilized by the criminals<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Specialized Activities Yield Comprehensive Security Restoration<\/h3>\n\n\n\n<p>The specialized activities carried out by Fortgale enabled the complete restoration of the security status of the infrastructure in a short time frame, thereby preventing further unauthorized access by criminals to the corporate network. During the operation, the presence of other malware compromises was observed, indicating the infiltration of multiple criminal groups within the network.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Characteristics of the WannaMine Worm<\/h3>\n\n\n\n<p>Unlike other compromises, the WannaMine worm propagated throughout the corporate network using a range of techniques: valid credentials (utilizing tools like Mimikatz and Empire modules) and exploiting vulnerabilities (such as EternalBlue, CVE-2017-0144).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scale and Scope of the Operation<\/h3>\n\n\n\n<p>Given the scale of the compromise and the worm&#8217;s propagation capabilities, Fortgale conducted an Incident Response operation across several hundred systems (both workstations and servers). The operation involved the use of Python scripts and Cloud-based tool APIs for the definitive removal of the malware from all the company&#8217;s systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Specific Measures Taken by Fortgale Analysts<\/h3>\n\n\n\n<p>Specifically, Fortgale analysts removed the following WMI (Windows Management Instrumentation) objects that were not associated with security alerts but were used by the malware to maintain persistence:<\/p>\n\n\n\n<p>(Note: The WMI objects removed are not listed in the original text, and therefore not included here.)<\/p>\n\n\n\n<p>By rigorously executing these activities, Fortgale successfully restored the compromised infrastructure to full operational status while mitigating the risk of future breaches.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"439\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2022\/03\/image-10-1024x439.png\" alt=\"\" class=\"wp-image-4447\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-10-1024x439.png 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-10-300x129.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-10-768x329.png 768w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/03\/image-10.png 1078w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-how-to-defend-fortgale-mdr\"><a href=\"https:\/\/fortgale.com\">How to defend? Fortgale MDR!<\/a><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Necessity for Specialized Skills in Defensive and Offensive Maneuvers<\/h3>\n\n\n\n<p>For these types of offensive tactics, it is crucial to employ specialized expertise in both defensive and offensive domains. Fortgale engages in Cyber Defence activities, safeguarding companies across various sectors and revenue scales by performing tasks such as:<\/p>\n\n\n\n<p>The specialized nature of Fortgale&#8217;s Cyber Defence services enables the company to address a broad spectrum of cybersecurity challenges, reinforcing the operational and informational integrity of client enterprises.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Monitoring<\/strong><\/li>\n\n\n\n<li><strong>Malware Analysis<\/strong><\/li>\n\n\n\n<li><strong>Threat Hunting<\/strong><\/li>\n\n\n\n<li><strong>Incident<\/strong>&nbsp;<strong>Response<\/strong><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-5590e8cb wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button has-custom-width wp-block-button__width-75\"><a class=\"wp-block-button__link has-background wp-element-button\" href=\"https:\/\/fortgale.com\" style=\"border-radius:14px;background:linear-gradient(135deg,rgb(0,27,59) 0%,rgb(0,54,121) 100%)\">Contact us<\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In 2021, Fortgale conducted an Incident Response operation to eradicate the WannaMine malware from the systems of an Italian company operating in the industrial sector. The malware proliferated across several hundred systems, exploiting a variety of propagation techniques. Upon installation, WannaMine initiates cryptocurrency mining activities, leading to substantial disruptions in the company&#8217;s operations due to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7196,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1497],"tags":[461,463,434,462,387,433],"class_list":["post-4442","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-defence","tag-ciso","tag-cto","tag-incident-report","tag-it-manager","tag-wannamine","tag-worm"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4442"}],"version-history":[{"count":42,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4442\/revisions"}],"predecessor-version":[{"id":7198,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4442\/revisions\/7198"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/7196"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}