Case Study: Zip Security & Observa defend SaaS company against malware tied to Russia

Cyber attacks are more frequent and sophisticated than ever, making it important for businesses of all sizes and sectors to protect their businesses with industry standard tooling. Proper protection can thwart attacks from the get-go, ensuring businesses stay safe from disruption. 

An employee at a Zip Security and Observa client was recently targeted by a malvertising campaign, unknowingly downloading malware designed for data exfiltration and credential theft. CrowdStrike swiftly neutralized the threat and a Managed Detection & Response (MDR) team isolated the device, preventing any client impact. These tools were deployed and managed through the Zip platform with oversight from Observa. 

Read more about the incident below, and how Observa and Zip partner together to improve enterprise security.

Incident Overview: EDR & MDR immediately respond to malware threat

Situation

An employee at a Zip and Observa client was targeted by a malvertising campaign, similar to a case observed by Malwarebytes Labs. 

While attempting to download a popular utility application, the employee clicked on a fake advertisement featuring the application’s official logo, website, and detailed description. They were directed to a decoy site spoofed from the official site where they downloaded malware instead of the popular application.

Action

EDR and MDR deployed and managed through Zip’s platform immediately responded to the threat.

• CrowdStrike (EDR) killed the process upon detection before any remote connections could be established
• Managed Detection & Response (MDR) placed the host into network isolation

Impact

Due to the immediate detection and neutralization of the threat, there was no client impact. Zip had the client wipe the affected device in the Zip platform as a precaution.

Zip and the MDR team completed a root cause analysis to better understand impact had the malware not been intercepted. The RCA found that the malware featured a malicious script designed for data exfiltration and credential theft. Specifically, the macOS AppleScript targets:

• Browser cookies, login credentials, and history from internet browsers
• Telegram data from local storage
• User passwords by prompting user with fake system dialogs
• Files related to cryptocurrency wallets, private keys, and documents

The script connects to an IP address registered in Russia and limits data exfiltration to 10MB per session to avoid detection.

Observa & Zip partner together to stand-up enterprise security

Observa is a boutique consulting firm that helps startups build and run security programs that scale. They focus on product security, enterprise security, governance, risk, and compliance.

Zip Security is Observa’s preferred partner for enterprise security. Zip’s software automates deployment, configuration and management of industry-leading tools, enabling Observa to quickly stand-up comprehensive security strategies. 

Visit our website to get started with Zip Security today or to learn more about partnership opportunities.