Stroz Friedberg was contacted by a global Internet services company when the firm’s intrusion detection system sent out an alert that a spell-check file on one of its webmail servers was being accessed by an IP address in Asia. The metadata embedded in the compromised web page indicated that contact was established through a dormant domain account that was heavily password protected. Stroz Friedberg was called in to perform a more in-depth forensic analysis and computer security threat assessment, and to determine how the domain user account was compromised despite the strength of the domain password, as well as why the attacker was accessing a lowly spell-check page.
Stroz Friedberg’s forensic analysis showed that the intrusion went far deeper than was originally thought. Specifically, the spell-check page was discovered to be a live “backdoor” that served up a command line to the intruder, allowing him to run commands against the e-mail server. We were able to date the installation of the backdoor and recover forensic fragments of the intruder’s access to specific corporate e-mail accounts. This enabled the Stroz Friedberg team to answer management’s questions about how long the intruder had access and what e-mail he had read. The team also found hacker tools stashed on the server, including password-cracking and anti-forensics applications. All of these tools were eradicated and the backdoor closed.
Given the strength of the password to the dormant account that was used to access the disguised spell-check page, the company was concerned that an insider with knowledge of the password was responsible and was attempting to make the intrusion appear as though it was originating in Asia. Stroz Friedberg forensically imaged all of the computers used by the relevant insiders and analyzed the machines for access to the Asian IP address, the fake spell-check page, the compromised e-mail content, and the hacking tools. All of those searches proved negative, resulting in the insiders being ruled out as subjects. Stroz Friedberg’s detailed examination of the hacking tools, when correlated with Internet research, showed that the author of the tools was a well-known Asian hacker, further supporting the conclusion that no insiders were involved.
Finally, Stroz Friedberg ran searches for the hacker tools, the spell-check page (or similar pages), and the Asian IP address across all of the company’s other public-facing servers to make sure that other machines were not similarly compromised.