Keylogger on MSP Endpoints

The Network: A mid-sized Managed Security Provider (MSP) uses EventTracker SIEM (Security Information and Event Management) and SOC-as-a-Service (SOCaaS) to protect its own network as well as the sensitive data and endpoints of its end clients.

The Expectation: EventTracker co-managed SIEM services with Endpoint Detection and Response (EDR) capability delivers end-to-end protection. The MSP is vigilant and responsible for protecting its extensive supply chain. They also understand that continuous monitoring and remediation is crucial to detect stealthy attacks by cyber criminals and reduce dwell time before a damaging data breach can occur.

The Catch: The EventTracker SOC (Security Operations Center) detected keylogging software on several of the MSP’s endpoints on the first day that EventTracker agents were installed. Keyloggers are a serious threat to users and data privacy. Keyloggers can capture every keystroke including login credentials, intellectual property of organizations, and sensitive government data. The EventTracker SOC found a Conexant audio driver in the MSP’s environment that logs all keystrokes on certain older Hewlett-Packard (HP) machines and publishes them without encryption to a file in a public folder. Anyone would be able to silently steal sensitive data by accessing the public file that is known by cybercriminals.

The EventTracker SOC promptly notified the MSP that the Conexant auto driver logs all keystrokes of certain legacy HP machines and publishes them to a file in a public folder. Netsurion sent a notification email and then telephoned the MSP partner to communicate the threat and provide recommendations.

The Find: Netsurion detected the keylogging threat by combining SIEM and EDR technologies driven by an ISO-certified SOC.

Process Name: MicTray64.exe
Hash: 7296b74f9422d4a95f46830142a4c984
Process Location: C:\Program Files\CONEXANT\MicTray\MicTray64.exe
MITRE ATT&CK mapping: ATT&CK framework techniques linked to Keylogging include:
Input Capture – T1056; Input Capture (Mobile) – T1417; and System Information Discovery – T1082.

Traditional security tools like anti-virus software failed to detect the keylogging software in the MSP’s environment.

The Fix: The EventTracker SOC quickly notified the MSP of the keylogging threat. The identified endpoint devices were placed in lockdown mode by EventTracker EDR with unsafe processes terminated until the threat could be removed by the MSP’s technical team. Once the threats were mitigated, the cleared systems were reconnected to the MSP’s administrative network. The MSP was appreciative of the timely detection immediately upon onboarding their EventTracker solution and the rapid response taken by the EventTracker SOC.

Recommendations to mitigate this keylogger vulnerability include:

  • Identify if you have HP computers in your infrastructure and check them to determine whether the programs MicTray64.exe or MicTray.exe in C: drive are installed. Delete or rename the executable fields so that keystrokes are no longer recorded.
  • Search MicTray.log file in location C:\users\public\MicTray.log. mmediately change passwords at the associated accounts if login names, passwords, banking information, and other sensitive personally identifiable information (PII) have been exposed.
  • If your infrastructure has legacy HP devices, upgrade to the most recent version of HP with device driver packages without the keylogging functions in Conexant executables.
  • Safelist applications that are deemed necessary for day-to-day operations. Place other applications on the unsafe list that is subject to greater scrutiny by the EventTracker SOC.
  • Maintain your SOC call tree contact list to ensure that urgent security communications are sent to the appropriate decision makers in your organization.

The Lesson: Cyber attackers are actively exploiting trusted relationships such as service provider networks. Netsurion’s integrated SIEM and EDR capability was instrumental in detecting and disrupting this potential advanced persistent threat (APT) activity. Continuous monitoring from Netsurion ensures 24/7/365 visibility and rapid mitigation. Learn more about how Netsurion protects organizations against advanced threats for cyber criminals.