A medical research laboratory was alerted by anti-virus software to the presence of a Trojan horse program (malware) on one of its internet facing web servers. First Response was instructed to examine the system to determine if any user data had been lost. Analysis of the server log files showed the server had been under attack for the best part of a year, and had been first compromised a few months after that.
The malware that had triggered the detection was very old, six other instances of more recent malware were present, but were not detected by the AV software (this is common). Analysis of the log files showed clear evidence of attempts at SQL injection attacks, but due to the unskilled nature of those attacks, they were unsuccessful.
Our analysis showed that the user login database of the server had been ex-filtrated to an IP address in Romania. A subsequent audit of the user database revealed seven different administrator level logins which were unknown. The attackers had gained access to all of the data present on the server and had copied all of it – several times over a period of months.
This compromise lead to the loss of valuable research data, a requirement to report the loss of the user database to the Information Commissioners Office and the reputational loss resulting from informing the user population that their accounts had been compromised and that a password reset was required. Each user who logged in was submitting sensitive personal data relating to medical conditions as part of the research being carried out by the lab.
After this compromise, the client completely re-built this and several other servers, instigated a Forensic Readiness Planning process with us and put in place a series of new policies and procedures to ensure the integrity of their server infrastructure is maintained.
Whilst this case study may seem quite bad (it is!) it is also very common and reflects the average type of incident that we respond to, week after week.