Dark Reading: The backdoor malware discovered on a server at a US manufacturing company was spotted and cleaned up within 24 hours of its implantation, and by all accounts that particular cyber espionage attack had been thwarted. But the next day, two new backdoors were spotted on two other servers, and the company realized its incident response operation had not been so successful after all.
“We knew the Trojan on that [first] system, but we missed out on a couple of other machines. As soon as we cleaned up the one machine, there they were the next day,” says the IR security team member at the manufacturing firm, who spoke on the condition that his company not be named. “They had moved laterally and installed two completely different backdoors, so IOCs [indicators of compromise]/signatures were useless.