The Network: A bank serving multiple states on the U.S. East Coast with a headquarters and several dozen branch offices; 500+ servers and 2,000+ workstations.
The Expectation: The bank buys computer systems from reputed manufacturers who are assumed to provide clean systems.
The Catch: The unknown process feature of the EventTracker Windows sensor detected a first-time-seen alert for the HP Analytics Touchpoint Client. The program was installed by a system account.
The Find: HP says it is: "A service we have offered since 2014 as part of the HP Support Assistant. It collects information about hardware performance that is used anonymously. No data is shared with HP unless access is expressly granted. Customers can opt-out or uninstall the service at any time." While this was not consciously installed, it appears it was as a result of a Windows Update. Analysis of this package shows that it is capable of the following:
- Modifies file/console tracing settings (often used to hide footprints on system)
- Malicious artifacts seen in the context of a contacted host
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- Reads the active computer name
- Reads the cryptographic machine GUID
- Tries to sleep for a long time (more than two minutes)
- Requested access to a system service
- Sent a control code to a service
- Contains ability to listen for incoming connections
- Found potential IP address in binary/memory
- Modifies Software Policy Settings
- Modifies proxy settings
- Reads the registry for installed applications
- Contains ability to query the machine version
The Fix: Stop the services for HP Touchpoint Analytics Client on these systems. Remove the software HP Touchpoint Manager from these systems.
The Lesson: Despite buying new systems from reputed manufacturers, IT must reimage them with a company approved image to minimize the possibility of bloatware. If this is not possible, then monitor for first-time-seen programs as well as any attempts to "phone home" which may result in data leakage.