We have an infection currently spreading through our network. New endpoints are popping up on the SecureAnywhere console every few minutes as infected. Some are 'protected', others are 'need attention'. The infection is reported as W32.BitCoinMiner. The file list is shown below.
I need to determine
a. The point of entry - which computer introduced this and how. Was it via the web? local usb device? etc.
b. How the infection is able to spread. So far it has affected two AD sites, spanning two IP subnets. It has not spread to any servers yet.
Does anyone have any tips on how best to understand and investigate the two points above?
Best answer by DDIT
Thanks all for the comments.
After further investigation, I can reveal this was a false-positive "alarm". Our MSP had decided to deploy Bitdefender to all endpoints on Friday afternoon, despite not notifying or warning of this. Most of the endpoints quarantined the deployment attempt and falsly categorised as bitcoin mining (see screenshot above - all those exe's belong to the Bitdefender installation package).
The reason why our servers never got "touched" was because the deployment script for bitdefender on servers was changed to uninstall competing AV solutions first, hence why none of them reported infection. The same reason why Meraki never flagged any infected files coming through the firewall. This also explained why the first infected machine appeared so clean and innocent - there had been no unauthorised software installs or dodgy web browsing.
I then called the MSP to confirm they had pushed Bitdefender out - which they did. Needless to say I have expressed my *&"£$* unhappiness at this.