Anomalous Login Attack Detected at Financial Organization

The Network:

A large Managed Service Provider (MSP) uses EventTracker SIEM + SOC-as-a-Service (SOCaaS) from Netsurion for their end clients. The impacted end client is in the financial services industry where compliance, trust, and relationship are paramount.

The Expectation:

Although up-to-date security products like anti-virus and firewalls are in place, hackers can still bypass defenses. Continuous monitoring and remediation are needed to detect stealthy attacks – especially against those with privileged login access.

The Catch:

Login attempts were conducted by IP address 36.7.106.82 to the Remote Desktop Protocol (RDP) port with multiple commonly used names like “admin”, “administrator”, “user”, and “test”. The login attempts were not an intensive brute force attack, as the EventTracker SOC only observed four attempts per hour. These delayed login attempts were a low and slow type of Anomalous Login attack meant to evade detection. However, the EventTracker Security Operations Center (SOC) quickly detected the suspicious logins. The table below outlines some of the locations, IP addresses, and techniques used by the attacker.

IP Address IP Reputation (IPVoid) IP Geolocation Technique involved in type of attack
92.63.194.240 6/116 Russia RDP Brute-Force/Port Scan
185.156.177.148 5/116 Russia RDP Brute-Force/Port Scan/Web App Attack
193.188.23.7 1/116 Russia RDP Brute-Force
193.200.241.77 2/116 Germany RDP Brute-Force/Port Scan/Hacking
185.156.177.25 3/116 Russia RDP Brute-Force
40.68.46.9 3/116 Netherlands RDP Brute-Force

On seeing the alert, the EventTracker SOC quickly performed an analysis that confirmed that the IP address reputation was poor. The SOC then investigated the pattern of the login attempts. With the assistance of machine learning, the EventTracker SOC analysts could see that the IP address was noted for the first time. The SOC sent a notification email and then telephoned the MSP partner to further determine if logins from those three countries were valid. The MSP partner was very interested in learning more about the detection of suspicious traffic and to understand the tactics, techniques, and procedures (TTPs) of the attacker. The end client confirmed that they had no association with the blocked IP addresses. The MSP’s financial services client was happy with the blocking feature of the EventTracker platform and its natively integrated Endpoint Detection and Response (EDR).

The Find:

Anomalous login attacks enable hackers to gain access to systems to steal sensitive data to be monetized or potentially for espionage. Once inside the client systems, an attacker could move horizontally to spread the damage further. Based on a geolocation analysis, the suspicious login attempts originated from Russia, China, and Germany – all locations where the financial services firm had no operations. The anomalous login attempts occurred repeatedly for a designated time, indicating an attempt to guess system admin (sysadmin) passwords.

The Fix:

The EventTracker SOC quickly notified the admin to block external access from the attacker’s IP address. Critical recommendations for the MSP and end-user client included:

  • Resetting passwords for privileged access accounts like sysadmins
  • Implementing two-factor authentication (2FA)
  • Using updated NIST compliance best practices for user and system passwords
  • Incorporating the latest patches on applications
  • Maintaining comprehensive Security Information and Event Management (SIEM) monitoring to look for any subsequent attacks

The Lesson:

Defense-in-depth protection is crucial as cybersecurity attacks are always constant threats to financial institutions. Prevention technology alone is insufficient to thwart today’s persistent and well-funded hackers. Proactive mitigation steps are essential for rapid detection and mitigation to protect sensitive assets, intellectual property, and reputational risk. Continuous monitoring from the EventTracker SOC ensures 24/7/365 visibility and blocking of anomalous login attacks. Learn more about how Netsurion protects the financial services industry against advanced threats from cyber criminals.