Background
PermanentCurePharmaGiant SARL had a long-standing relationship with one of its oldest vendors, SoftwareForLabAnalysis Pvt Ltd.
SoftwareForLabAnalysis was making software for lab analysis that was being shipped to PermanentCurePharmaGiant. The software was upgraded regularly and the vendor had a very clean history of testing the product before shipping it to the client.
The software was extensively used for:
- Uploading laboratory result files
- Processing and analysing test data
- Storing sensitive laboratory analysis outputs
Incident Trigger
The incident began when PermanentCurePharmaGiant's security team observed unexpected outbound network traffic originating from the laboratory analysis environment.
The traffic:
- Was persistent since 2 weeks
- Was directed to unfamiliar external destinations
- Did not align with known laboratory workflows
An internal security incident was raised.
Initial Investigation
During the initial response:
- No signs of system outages were found
- No user accounts showed signs of misuse
- No recent infrastructure changes were identified
- Laboratory operations appeared normal
However, the volume and pattern of outbound traffic continued. Data was leaving the environment without a clear business purpose. This prompted a deeper technical investigation.
Post-Incident Analysis
Initial Assessment
- Network logs confirmed the traffic originated from the laboratory analysis application
- Unexpected processes executing within the laboratory software runtime
- File-handling activity inconsistent with normal laboratory data uploads
- No corresponding user actions to explain the activity
This indicated that the application itself had been compromised.
Investigation
Investigators reviewed recent changes to the environment and found a recent software upgrade of the laboratory analysis platform. The timing of the upgrade closely matched the start of the abnormal traffic.
Root Cause Discovery
Further analysis of the upgraded software revealed changes in the file upload and processing logic, with lack of strict validation for file extensions, file size, and uploaded content structure.
Testing confirmed that:
- Malicious payloads could be uploaded disguised as laboratory data files
- Automated worms had repeatedly attempted such uploads
- One payload had successfully bypassed the weak validation checks
Once uploaded:
- The payload executed within the application context
- It accessed stored laboratory analysis data
- Data was exfiltrated gradually to external destinations
Supplier Involvement
As part of the investigation, the software vendor was engaged. The vendor confirmed that:
- New code had been promoted to the final release
- Security testing of the file upload component had been outsourced and this was not part of the report submitted by the third party
- The vendor had discovered this vulnerability and was about to release a hot fix but had failed to inform the client of the missed pen testing check
- The vulnerability was traced directly to the most recent software version shipped by the vendor
Incident Summary
- The client detected the incident through abnormal outbound traffic
- The compromise originated inside a trusted laboratory application
- The entry point was a vulnerability introduced in a recent vendor software update
- The issue remained undetected until post-incident investigation correlated the behavior with the upgrade
- Should the client have not audited the Software Pentest report submitted by the vendor?
- Why was change management not up with Integration Testing of a third party software?
- Why did the vendor not confirm to reporting the vulnerability to the client? Was it not in the contract or SLA?
- Software Integration was okayed to be performed in Production environment before validating lower environments?
- There is a serious gap in Supply Chain Risk Management both from vendor and software perspective.
- Was the Risk Assessed?