Luigi's Case Study -
CIS Critical Security Controls v8

A Luigi's Inc. employee brought a personal laptop into the facility infected (albeit unknowingly) with PSL and connected it to the corporate network via a wireless access point (AP). The system obtained an IP Address using Dynamic Host Configuration Protocol (DHCP) addressing provided by the core corporate network services. Upon connection, the infected system connected to the command and control server.

​

Once connected, the threat actor provides the command for the system to scan the local network for available services. While the user noticed the machine was running slowly, it was late on Friday before a three-day weekend. The user left the machine powered on with plans to look at it again on Tuesday. The scan identified an open File Transfer Protocol (FTP) service on the internal network that allowed anonymous access. Still using the compromised machine, the threat actor logged into the FTP server, compressed the contents, and then transferred the data to the control server (over the internet) using an encrypted outbound VPN connection.

​

Over the weekend, the Network Operations Center (NOC) tracked a large amount of data over an encrypted channel. While they could identify both the source and destination, without the encryption keys, they could not decrypt the traffic to identify the content. The destination was not on the current list of known malicious sites (the list was out of date by four months). The help desk technician opened a work ticket for the local desktop services to investigate.

The user noticed the machine still acting erratically early Tuesday morning, even after a reboot. The user then called the help desk to open a ticket. The help desk technician could tie the IP address of this machine to the traffic identified over the weekend. When the desktop technician arrived, it was determined that the machine in question is not a corporate machine and does not have all the standard protection software. A quick scan using a boot time tool found the PSL signature. At this point, the technician confiscated the machine for forensic investigation and the ticket was closed.

​

The forensics team determined a known malware tool named PSL compromised the machine. They also found a temporary file, left over by the scanning, that included the directory listing of the FTP site. Many of the folders within the directory were named after previous high-value programs. These files included parts lists, price quotes and even proprietary drawings. Included in the information, were patents from the current Chief Executive Officer (Ms. J. Rabbit) as well as legal documents describing the purchasing and legal aspects of these programs.