Our red team discovered and successfully tested the following technique on enterprise business systems.
Inflicted damages are critical and hard to detect: we were only able to detect it using our novelty detection engine.
It does not quite match the following Impact ATT&CK techniques and is particularly relevant for complex software:
(Sub-)Technique Name:
Application progressive corruption
Tactic:
Impact
Platform:
Linux, Windows, macOS
Required Permissions:
Administrator, SYSTEM, User, root
Sub-techniques: Inhibit System Recovery (T1490)
Description: Main business systems are highly complex and consist of thousands of files, in particular softwares that are model development oriented (it’s common for ERPs to maintain huge numbers of files). A slow corruption of their files may result in the progressive destruction of the system. If the corruption processus is progressive enough, induced faults may be mistaken for classic issues.
This attack requires administrator access to the underlying server but a lot of advanced softwares provide their own integrated development environment and language (ABAP, L4G…), allowing it to be perpetuated with a software consultant user.
Such malware is similar to ransomware if we consider it can be reversed, knowingly the corruption method (operations on bytes randomly chosen with a known seed).
Détection:
ID | Data Source | Data Component | Detects |
File | File Modification | Unusual patterns in modified files may alert |
Mitigation:
ID | Mitigation | Description |
M1053 | Data Backup |