Predatar is all about recovery readiness. Our unique Recovery Assurance Software and CleanRoom technology has been designed to validate the recoverability and cleanliness of your data before a crisis hits. But Predatar has an extra superpower. And it’s huge!
This week, Predatar uncovered a live and potentially very serious cyberattack in the early stages – inside a customer’s IT environment. By raising the alarm, the infrastructure and cyber security teams in the target organisation were able to take action – and stop the attack in its tracks.
The Target Organisation
The target of the cyberattack is a local government organisation in Austria. Predatar Recovery Assurance software and a Predatar CleanRoom were deployed around a year ago to continually validate immutable snapshots of their most important business systems – which are running on IBM FlashSystems. If these systems went offline, services that citizens rely on would be seriously disrupted, including public transport, law enforcement, emergency response and more.
What Happened?
During a routine scheduled scan, Predatar uncovered malware inside a snapshot that had not previously been detected anywhere else in the customer’s IT environment.
As usual, Predatar began to clean the malware from the snapshot and immediately raised an alert with both the infrastructure and cyber security teams with the customer organisation.
Further investigation quickly revealed that the malware posed a real and very imminent threat.
The Attack
Thanks to the built in Trend Micro cyber security tools, Predatar had found hacking tools on a virtual machine within a snapshot. The VM didn’t contain business-critical data and was considered by the customer to be a low-priority workload. As a result, it didn’t have the same security protocols as other more critical workloads, and patching best-practices hadn’t been maintained.
The malware that was uncovered included ‘tunnelling’ tools designed to help hackers achieve lateral movement within an IT environment. It quickly became evident to the team investigating the threat that hackers were actively using this unassuming Linux server as a ‘jump box’ to access more critical systems.
Thanks to Predatar, the customer was able to take the compromised system offline, execute forensic analysis of their networks to understand if the hackers had managed to gain access to other systems, and contain the threat.
Boom Avoided
The moment that attackers ‘activate’ a cyberattack is often referred to as ‘The Boom.’ That’s when data becomes encrypted, users are locked out, and systems go offline. But cyberattacks don’t happen instantly. Typically, attackers have access to IT systems for at least 14 days before they activate the attack. During this ‘Pre-Boom’ phase attackers deploy specialised tools to gain access to as many systems as possible, to elevate their privileges, and to lay the groundwork for maximum damage.
By identifying an attack in the ‘Pre-Boom’ phase, Predatar was able to avoid a ‘Boom’ event altogether.
The Predatar Superpower
First and foremost, Predatar is designed to give its users total confidence in their ability to execute a fast, clean and complete recovery. While threat detection is not the primary purpose of Predatar, it’s a extremely valuable superpower!
Is a ‘Boom’ comming in your organisation?
Join our next webcast, ‘Stop the Boom… Before it Happens‘ to learn more about the timeline of cyberattacks, and how you can stop them before the critical ‘Boom’ moment.
Sign up now
