Our red team discovered and successfully tested the following technique on enterprise business systems.


Inflicted damages are critical and hard to detect: we were only able to detect it using our novelty detection engine.

It does not quite match the following Impact ATT&CK techniques and is particularly relevant for complex software:

(Sub-)Technique Name:

Application progressive corruption

Tactic:

Impact

Platform:

Linux, Windows, macOS

Required Permissions:

Administrator, SYSTEM, User, root

Sub-techniques: Inhibit System Recovery (T1490)

Description: Main business systems are highly complex and consist of thousands of files, in particular softwares that are model development oriented (it’s common for ERPs to maintain huge numbers of files). A slow corruption of their files may result in the progressive destruction of the system. If the corruption processus is progressive enough, induced faults may be mistaken for classic issues.

This attack requires administrator access to the underlying server but a lot of advanced softwares provide their own integrated development environment and language (ABAP, L4G…), allowing it to be perpetuated with a software consultant user.

Such malware is similar to ransomware if we consider it can be reversed, knowingly the corruption method (operations on bytes randomly chosen with a known seed).

Détection: 

IDData SourceData ComponentDetects
FileFile ModificationUnusual patterns in modified files may alert

Mitigation: 

IDMitigationDescription
M1053Data Backup