Backup Server Blasted at Marketing Solutions Company

The Network:  Our customer is a leading digital marketing solutions company that empowers millions to find apartments and houses for rent.  A dedicated IT team manages hundreds of servers, workstations, and network equipment at the HQ location along with 24/7 monitoring by the EventTracker Security Operations Center (SOC). The company wants to protect its valuable database of digital contacts and online credentials along with sensitive financial data from rental agreements.

The Expectation: Regular backup of servers and workstations is a critical IT task to recover from a hardware failure or infection. The company invested in an online backup solution but implemented the software at a central server for administrative ease.

The Catch: The EventTracker SOC detected several thousand inbound connections originating in both the U.S. and Russia from more than 550 unique IP addresses. Many of these inbound connections targeted backup servers at the digital marketing agency and originated from IP addresses with poor reputations and a known history of serving up malware.

The Find: The connections were targeting open ports 4280,4282,4285 and 4287 that were required by the backup server. EventTracker analysts identified reported vulnerabilities for this software, including a critical remote code execution weakness. A remote code attack against v5.x allows attacks to originate from anywhere in the world, which on successful exploit creates an RMI server that listens on a TCP port and desterilizes objects sent by TCP clients.

The Fix: The EventTracker SOC team issued a Priority 1 alert to the marketing company’s administrator to block external port access and update the software to mitigate the known vulnerability.

The Lesson: Attackers will discover every open port and fingerprint the possible software using it to target any known vulnerabilities. Constant vigilance is required in addition to careful network design. More than 90% of successful attacks use known and published vulnerabilities, highlighting the importance of regular patching. EventTracker SIEMphonic strengthens security defenses and enhances the skills and capabilities of IT teams.