The Network: A managed service provider (MSP) implemented the EventTracker Co-managed SIEM service for a healthcare non-profit. Operating in over 140 countries, the non-profit distributes medicine, medical supplies and humanitarian aid across the globe. The organization’s executive director wants to protect their sensitive and valuable assets: medicine, supply chain connections such as corporate donors, financial data like credit cards, and a brand reputation built over 20 years of service to impoverished countries.
The Expectation: Protect the healthcare non-profit’s sensitive data by restricting privileged access to the organization’s system admin who uses good password best practices like minimum password length, password complexity, and avoiding password reuse. The EventTracker SOC’s comprehensive 24/7 cybersecurity monitoring also enables rapid detection of suspicious behavior and quick mitigation of threats before damage occurs. Finally, offsite employees to safely access corporate resources via remote access connections when traveling or working away from the office.
The Catch: The EventTracker analyst monitoring the infrastructure of the not-for-profit organization encountered excessive login attempts on an internet-facing Remote Desktop server. An adversary can hijack login credentials and identities in order to 1) sell the stolen credentials in criminal marketplaces; 2) deploy financially-motivated ransomware; 3) implement politically-motivated actions targeted at countries or governments such as those facing civil conflict; or 4) infiltrate a small and medium-sized organization to gain access to larger supply chain partners.
The Find: The EventTracker SOC uncovered an adversary attempting to login to the non-profit’s systems using a brute force dictionary attack. A dictionary attack occurs when a threat actor uses or attempts to find a sys admin password through trial and error or with specialized hardware and tools. Over 80% of data breaches in 2017 utilized compromised credentials and weak passwords such as this.
The EventTracker SOC detected every detail of this brute force attack and provided detailed remediation recommendations to the MSP for sharing with the healthcare non-profit. See Figure 1 for an anonymized alphabetic list of the adversary’s attempted user names on the domain controller responsible for authentication and logins.
After uncovering an actual user name on the system, the adversary then tried to use brute force to guess a viable pass word to gain access.
The Fix: The EventTracker SOC analyst immediately notified the MSP of this Priority 1 incident with recommendations to block the IP address on the perimeter firewall. Quick action is vital to ensure that these dictionary attacks are stopped before a usable login is uncovered, allowing threat actors to gain access and move laterally within the organization from seemingly innocuous systems to highly sensitive ones or to linked systems with supply chain partners like pharmaceutical firms or banks.
The Lesson: Remote Desktop Protocol (RDP) servers should not be deployed facing the internet. In most organizations, remote access via a Virtual Private Network (VPN) provides stronger security than permitting the RDP protocol to pass through the firewall. Other cybersecurity recommendations include:
- Utilize strong passwords and multi-factor authentication (MFA)
- Implement account lockouts after too many login attempts
- Use regular vulnerability scanning to detect remote access vulnerabilities before adversaries find them
- Review logs / SIEM reports regularly to look for suspicious behavior
- Remain vigilant as cybercriminals are persistent and ever evolving