Threat Research

Beware of What Is Lurking in the Shadows of Your IT

Securonix

IBM Security X-Force traced an entrenched adversary that maintained access to two organizations for 381 days via a Shadow IT bridged network, pivoting across a multi-domain forest and evading visibility with a rogue networking device. The findings highlight Shadow IT as a persistent risk that requires a holistic prevention, detection, and response strategy.
#ShadowIT #XForce #IBMSecurity

Keypoints

  • Shadow IT bridged network enabled long-term access across a multi-domain forest, including root and child domains.
  • A rogue networking device was installed to share badge printing capabilities between the client and another organization, enabling covert connectivity.
  • The bridged network existed outside the visibility of both security teams, creating blind spots that allowed pivoting and persistence.
  • Evidence showed the adversary pivoted from the forest root domain to another child domain, maintaining persistence for an extended period.
  • Despite containment within a single domain, the attack demonstrated potential to affect the broader forest if not detected.
  • IBM X-Force advocates a prevention, detection, and response strategy for Shadow IT and offers services to improve preparedness and incident response.

MITRE Techniques

  • [T1199] Trusted Relationship – Adversary pivoted across forest root domain to another child domain and maintained persistence across domains. ‘pivoted throughout the entire forest to execute the attack.’
  • [T1021] Remote Services – The attacker leveraged cross-domain movement/pivoting across the forest to move laterally between systems. ‘pivoted throughout the entire forest to execute the attack.’
  • [T1078] Valid Accounts – The adversary maintained persistence access for 381 days. ‘persistence access for 381 days.’

Indicators of Compromise

  • [Device/Infrastructure] Rogue networking device – installed to share badge printing capabilities between the client and another organization
  • [IP Address / Network Range] Unknown IP range – used to return to the environment, unknown to the client’s IT department
  • [Domain] Forest root domain / child domain – evidence of pivot across domain boundaries (root and child domains)

Read more: https://securityintelligence.com/posts/beware-lurking-shadows-it/