Overwatch Managed Cybersecurity continues to monitor the brute force cyberattack, as it impacts myriads of companies across the country. We are still seeing unique non-disclosed usernames being brute forced– the questions of why and how remain unanswered.
Our U.S. based security analysts and engineers have worked tirelessly throughout the weekend to monitor the situation and alert customers of any suspicious activity. Please make sure to heed all recommendations listed below and communicate them with your customers.
Latest Findings:
- The botnet started attacking as early as March 15th.
- It appears that after roughly every 6th attempt, a new IP rolls in and tries again.
- In a 12-hour period, Overwatch discovered 1,600 unique IPs just for one customer.
- From threat intelligence collaborated with other vendors, there could be 10s of thousands of unique IP addresses in this botnet.
- We originally noted that this attack was focusing on SSLVPN services.
- While that remains true, we’ve also started to see other Internet facing web applications affected as well.
- To validate if we’re seeing brute force authentications or not, Overwatch is threat hunting using the following:
- The most common Event ID we’re tracking is Event ID 4776, which is NTLM over Kerberous.
- The other was 6273, which is NPS (Radius).
- In threat hunting these logs, Overwatch wrote queries for the Event ID 4776, and validated if the Source Host Name field existed. If it does not exist, we’re seeing VPN traffic or other outside authentications.
- Finally, Overwatch is making sure the target username does not contain $. To validate if we we’re seeing any successful authentications, we drill down further with Status: 0x0.
The botnet itself doesn’t seem to follow any specific country. However, it has the potential to be a massive botnet. The compromised devices coming from the botnet are all over the place: legitimate companies, residential estates, and other bad machines on the Internet.
Most of the User IDs Overwatch is tracking in the traffic logs are Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) &
Mozilla/5.0 zgrab/0. x. They’re not incredibly unique, but the nmap scans do track with the brute force activity, most of the User IDs that have been tracked so far are at least Mozilla/5.0.
Overwatch Recommendations:
- MFA should be enforced on ALL accounts, admin, service, users. This has been a sure-fire way to prevent successful authentications.
- Limit publicly facing applications that have authentication services to trusted sources when possible.
- Block Geo-Location on the firewall. This doesn’t stop every attempt but will lower the amount.
- Monitor any abnormal activity stemming from these applications.
As this story continues to evolve, Overwatch will continue to provide updates.
Interested in Overwatch U.S. based SOC services? Email: overwatchsales@highwirenetworks.com
