The SOC Diaries – Tales of the Unexpected

Affordable Community SOC services for ‘around the clock’ Cyber Threat Protection and Prevention

Providing 24x7x365 advanced cyber protection to our customers means that we encounter a plethora of new and evolving cyber threats each and every day. Luckily, for our customers, our ‘always available’ SOC Teams are specialists in monitoring, detecting, investigating, and mitigating these potentially harmful threats before they can have a serious impact upon the security and continuity of our SOC Community.

To highlight these close calls, our expert SOC Analysts have been recording anonymised case summaries, which we are calling The SOC Diaries – Tales of the Unexpected.

The idea behind the SOC Diaries is to be able to showcase the often-banal ways in which potentially very serious cyber breaches can originate, whilst also detailing the rapid and professional ways in which our SOC Teams handle each scenario.

Find out more by reading the diary entries below, or click the button to join one of our upcoming SOC Diaries webinars.




High-risk data breach through exposed network backdoor at major multi-campus educational institution

KHIPU SOC identified a malicious PHP web shell being uploaded to one of the customers’ public-facing web servers, providing attackers with backdoor access to the environment. Our SOC Team worked alongside the customer to analyse the extent of the incident and remove all traces from the system. We also advised that web server vulnerability scans were necessary as the web shell was found to have originated via a compromised WordPress weakness (XMLRPC). Risk levels were high – the web shell provided attackers full remote access to the customers’ network.

SOC Timeline: Host isolation; removal of malicious files; consultancy for vulnerability scanning; Protected external web infrastructure and internal network.


Human error leads to major vulnerability for global organisation

KHIPU SOC prevented malicious worm activity triggered by an infected USB drive, which had previously been used for printing at an internet and print cafe. Given the notoriously inadequate security protection on offer at these types of establishments, the use of removable data storage devices is a high-risk activity and thus was the most probable source of the infection.

SOC Timeline: Detection and isolation was fundamental; Machine was reimaged; SOC performed reverse engineering to determine that the malware was related to the ‘Raspberry Robin Worm’ exploit.


Major cybersecurity breach impacting over 90% of the IT infrastructure at a multi-campus education institution

Needing urgent assistance, an educational institution reports a major cyber breach to their technology vendors, as their incumbent cyber security partner did not have the capabilities to react and mitigate the situation. Having been referred to KHIPU, our SOC Team assessed the situation and it was determined that over 90% of the universities virtual infrastructure was inaccessible, including over 300 servers, back-ups, and all related services had been taken offline, affecting 10,000 users.

SOC Timeline: Extended endpoint detection and response to provide holistic protection; deployed sandboxing and investigation tools to identify ransomware IP; Instigated block on firewall; added indicators of compromise (IOCs) to blocklists (including poorly configured software e.g., Windows Defender).





Active ‘brute force’ attack via an exposed desktop machine

KHIPU SOC identified an active ‘brute force’ attack occurring on a desktop machine. The SOC Team acted quickly, remoting into the machine and confirming that the desktop had a public IP address. The Team subsequently checked all connected interfaces and confirmed the presence of a 4G SIM card, the most likely source of the exposed Remote Desktop Protocol (RDP), allowing potentially unauthorised access. KHIPU contacted the customer ‘out of hours’; the 4G SIM card was removed and advice provided on effectively locking down machines was provided as a matter of course. Risk levels were high – the exposed RDP could have led to a major security breach.

SOC Timeline: ‘Brute Force’ attack identified; Action taken to access the compromised machine and find the root cause; Checked connected interfaces and discovered 4G SIM; Contacted customer ‘out of hours’ to advise on actions to mitigate the threat.


Urgent investigation and response to multiple malicious file discovery

KHIPU SOC were contacted to perform an immediate incident response (911) service to investigate and respond to a serious active threat. The Team identified multiple malicious and dangerous files including SystemBC (a malicious backdoor capable of downloading other malicious programs), WannaCry and Hive/Cobalt Strike. Subsequently, KHIPU’s Team identified several hosts displaying active encryption activity leading to the deployment of threat mitigation processes, which immediately blocked the attack from propagating any further. The Team obtained copies of the malicious files and used our sandbox to safely detonate and observe their behaviour – this actvity was vital in understanding the best course of action to both contain the threat and remediate.

SOC Timeline: SOC contacted to perform emergency incident response; Immediately blocked the attack; Sandboxed and Detonated malicious files; Purged to remove ransomware; IOCs identified and added to firewalls; Report provided with recommendations.


Ransomware attack impacts parent company and its subsidiary

Needing urgent assistance, a large manufacturing business reported a ransomware attack which had compromised their domain controller, leading to the propagation of the ransomware within a subsidiary business. The KHIPU SOC Team performed incident response ‘handholding’ with the customer, whose team explained the types of attacks they were seeing, allowing a mitigation and business continuity plan to be implemented. 

Upcoming ‘SOC Diaries’ Webinars…

We are always adding more ‘unexpected tales’ to our SOC Diaries series. Use for the form to register and join us for the next instalment.

T: +44 (0)345 272 0900 (UK)
T: +27 (041)393 7608 (SA)

SOC Diaries

SOC Dairies and SOC Options

Reserve your space on an upcoming webinar:
Find out more about KHIPU SOC. You can: