Rogue Contractor Exposes Financial Organization

The Network: A financial services firm headquartered on the U.S. East Coast with several hundred servers and workstations.

The Expectation: Temporary staff is needed to handle a surge of work in the IT department. Such “experts” can be brought on the payroll on an as needed basis for short periods of time and for specific tasks.

The Catch: Netsurion’s EventTracker detected the modification of a specific registry key on two servers, one of which hosted a back-end MS SQL and the other of which hosted a web based front end with an application. The specific key was HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel. This has been called The Most Misunderstood Windows Security Setting of All Time. The setting takes effect on next reboot.

The Find: A contract employee hired by the IT department and provided Administrator privileges had been unhappy with early termination of his contract and installed malware to eavesdrop on traffic between the front and back-end systems. The former staffer wanted to “punish” his employer for perceived wrongs; unauthorized access could also lead to more dangerous and malicious actions by the terminated contractor.

The Fix: Restore the registry key setting to its desired level (which is 5). Look for other administrative action performed by the contract employee for evidence of improper behavior.

The Lesson: Stealing valid credentials is at the top of every attacker’s to-do list. It allows outsiders to masquerade as insiders. Critical registry settings such as LmCompatibilityLevel must be monitored 24/7/365 by the Netsurion SOC on high-value assets.