Meet your attacker. If you’re looking at the image and are confused by my statement, allow me to clarify.
Several months ago, I was supporting a small business recover from a ransomware attack on their network. Thankfully, they had backups of their data and was able to restore their systems within a couple days. However, this was not the first time they experienced a ransomware attack. I was called in to review their network and assess it for vulnerabilities and weaknesses.
One significant discovery during my assessment was that their contracted IT support service had exposed two servers to the internet using Remote Desktop (RDP), likely to simplify the remote administration of the network. Please don’t do this, as this will attract the attention of would be attackers who will work feverishly to exploit the system, and this is subject of this post.
In most cases, a hacker doesn’t know who you are or the address of your server, nor do they need to. There are many sources of information on the Internet that provide this information; Google, Shodan, scanning services, etc. Hackers use these free services to identify your systems, then create programs to automate their attack.
Computers generate information, called logs, when you do something on it. For example, when you log into your computer, a log of the successful login is made in the log history. When you mistype your password, a failed login attempt is recorded in the log history. This is important because you can use log files to assess how an event happened on your network.
During a review of my client’s server log files, I observed that there were thousands of failed login attempts ending only a few seconds ago. I did a quick refresh and two more failed login attempts were recorded. My client’s servers were under attack from a would-be hacker. These attacks were focused on the exposed RDP port that led directly to the server. I quickly contacted my client and informed them of the attack and recommended that I take immediate action to halt the attack. Receiving approval from the client, I blocked the IP address at the firewall. Upon refresh of the log files, the attack continued; however, now it was coming from a different IP address. After blocking the second IP address, the attack was halted.
In a post assessment of the attack, the hacker clearly used automation in a brute-force attack on the servers. The attacker had a list of thousands of usernames and passwords and each failed login attempt used a username and password combo. Ultimately, there is a human behind the scene attempting to access your infrastructure for nefarious purposes. However, these processes are now so automated, the hacker could be at the local coffee shop sipping a vanilla latte while his computer searches the Internet for a vulnerable server then runs automated scripts to attempt the break in. What can you do to protect your businesses information assets from attack? It’s important to know what your exposure risk is and minimize it by utilizing smart practices to prevent easy access to your infrastructure. You can certainly help yourself by going to www.whatsmyip.com then pasting your IP address into www.shodan.io. If you see a message that no results are found, then that’s a great start.
