Keylogger on MSP Endpoints

The Network: A mid-sized Managed Security Provider (MSP) uses Netsurion Managed XDR, which combines Netsurion’s 24×7 security operations center (SOC) with the Netsurion Open XDR platform, to protect its own network as well as the sensitive data and endpoints of its end clients.

The Expectation: Netsurion’s co-managed services with Extended Detection and Response (XDR) capabilities delivers end-to-end protection. The MSP is vigilant and responsible for protecting its extensive supply chain. They also understand that continuous monitoring and remediation is crucial to detect stealthy attacks by cyber criminals and reduce dwell time before a damaging data breach can occur.

The Catch: Netsurion’s Security Operations Center (SOC) detected keylogging software on several of the MSP’s endpoints on the first day that Netsurion sensors were installed. Keyloggers are a serious threat to users and data privacy. Keyloggers can capture every keystroke including login credentials, intellectual property of organizations, and sensitive government data. Netsurion’s security experts found a Conexant audio driver in the MSP’s environment that logs all keystrokes on certain older Hewlett-Packard (HP) machines and publishes them without encryption to a file in a public folder. Anyone would be able to silently steal sensitive data by accessing the public file that is known by cyber criminals.

Netsurion’s SOC promptly notified the MSP that the Conexant auto driver logs all keystrokes of certain legacy HP machines and publishes them to a file in a public folder. Netsurion’s security analyst sent a notification email and then telephoned the MSP partner to communicate the threat and provide recommendations.

The Find: Netsurion detected the keylogging threat by combining SIEM and EDR technologies driven by an ISO-certified SOC.

Process Name: MicTray64.exe
Hash: 7296b74f9422d4a95f46830142a4c984
Process Location: C:\Program Files\CONEXANT\MicTray\MicTray64.exe
MITRE ATT&CK mapping: ATT&CK framework techniques linked to Keylogging include:
Input Capture – T1056; Input Capture (Mobile) – T1417; and System Information Discovery – T1082.

Traditional security tools like Anti-Virus software failed to detect the keylogging software in the MSP’s environment.

The Fix: Netsurion’s SOC quickly notified the MSP of the keylogging threat. The identified endpoint devices were placed in lockdown mode with unsafe processes terminated until the threat could be removed by the MSP’s technical team. Once the threats were mitigated, the cleared systems were reconnected to the MSP’s administrative network. The MSP was appreciative of the timely detection immediately upon onboarding their Open XDR solution and the rapid response taken by Netsurion’s SOC.

Recommendations to mitigate this keylogger vulnerability include:

  • Identify if you have HP computers in your infrastructure and check them to determine whether the programs MicTray64.exe or MicTray.exe in C: drive are installed. Delete or rename the executable fields so that keystrokes are no longer recorded.
  • Search MicTray.log file in location C:userspublicMicTray.log. Immediately change passwords at the associated accounts if login names, passwords, banking information, and other sensitive personally identifiable information (PII) have been exposed.
  • If your infrastructure has legacy HP devices, upgrade to the most recent version of HP with device driver packages without the keylogging functions in Conexant executables.
  • Safelist applications that are deemed necessary for day-to-day operations. Place other applications on the unsafe list that is subject to greater scrutiny by Netsurion’s SOC.
  • Maintain your SOC call tree contact list to ensure that urgent security communications are sent to the appropriate decision makers in your organization.

The Lesson: Cyber attackers are actively exploiting trusted relationships such as service provider networks. Netsurion’s integrated SOC and Open XDR capabilities were instrumental in detecting and disrupting this potential advanced persistent threat (APT) activity. Continuous monitoring from Netsurion ensures 24×7 visibility and rapid mitigation. Learn more about how Netsurion protects organizations against advanced threats for cyber criminals.