CompTIA CySA+ (CS0-001) — Question 202

A technician at a company's retail store notifies an analyst that disk space is being consumed at a rapid rate on several registers. The uplink back to the corporate office is also saturated frequently. The retail location has no Internet access. An analyst then observes several occasional IPS alerts indicating a server at corporate has been communicating with an address on a watchlist. Netflow data shows large quantities of data transferred at those times.
Which of the following is MOST likely causing the issue?

Answer options

• A. A credit card processing file was declined by the card processor and caused transaction logs on the registers to accumulate longer than usual.
• B. Ransomware on the corporate network has propagated from the corporate network to the registers and has begun encrypting files there.
• C. A penetration test is being run against the registers from the IP address indicated on the watchlist, generating large amounts of traffic and data storage.
• D. Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.

Correct answer: D

Explanation

The correct answer is D because it describes a scenario where malware is actively stealing sensitive data and staging it for exfiltration, which aligns with the observed IPS alerts and data transfers. Option A is incorrect because a declined transaction would not typically cause this level of disk usage or network saturation. Option B suggests ransomware is encrypting files, but there's no evidence of that in the provided data. Option C implies a penetration test is occurring, which would not account for the accumulation of data being transferred to an attacker-controlled server.