From the Overwatch Threat Intel Team:
Over the last 24 hours, the Overwatch Security Operations Center observed a wide scale and significant cyberattack utilizing brute force login attempts across multiple industries. The attack surface appears to be Internet facing SSLVPN services. SSLVPN also appears to be a common thread in the attacks. They are active and ongoing.
The brute force logins we are seeing currently are followed up with successful logins. In some cases, the successful logins are valid, but the community is seeing active intrusions. After gaining access, the attacks may run traceroutes and other applications that appear to be trying to map the networks they are entering.
Two Event IDs of Interest to Search:
- Event ID 4776-0x0:
“The Computer Attempted to Validate the Credentials for an Account” alert and the 0x0 indicate the authentication was successful. This is often tied to NTLM over Kerberos. With the successful authentications, we do not see any associated workstation names in the event logs which indicate this is coming from the outside.
- Event ID 6273:
This is a “Network Policy Server Denied Access to A User code”. This is often tied to a RADIUS(IAS) or Network Policy Server (NPS) access method. While it is normal to see some of these alerts from time to time, you may be experiencing a significant increase in the volume.
Another unique aspect of this attack is that the Usernames targeted are often not generic or alphabet spray attacks. The usernames attempted are typically specific to that business and unique— ones that attackers wouldn’t know existed in the network. We have not seen indications on how the attackers would have learned those specific usernames.
Overwatch Managed Cybersecurity Recommendations:
- Review event logs for Event ID 4776 with status 0x0 and Event ID 6273
- Reset any passwords associated with successful authentications that match the event IDs above
- Enforce MFA on all accounts possible
- Temporarily restrict access to the internet accessible SSLVPN interfaces
- Block the source IP that are listed down below
- Look for any abnormal communications or access events logged
Lastly, we are noticing through our research and collaboration with Overwatch partners, a common set of IP addresses being utilized for the attack. We have listed them below and will continue to update the list as we get more details.
Resources:
- High Wire Networks partners who have additional questions? Call our Security Operations Center. Our U.S. based security analysts and engineers are ready to assist you 24/7.
- Looking for a managed cybersecurity partner? Send an email to: overwatch@highwirenetworks.com.
- Vendors or threat researchers who would like to collaborate with the Overwatch team on this incident? Reach out to: threatintel@highwirenetworks.com.
Real-time/Updated List of Recommended IPs to Block:
https://github.com/HWNaaronmartin/SSLVPN_IOCs
Blog Contributors:
David Barton, CTO, High Wire Networks
Bob Roberts, Director, Overwatch Security Operations
