![]() In order to track the actor, we left open the temporary VPN profile, continuing to monitor and investigate all access going through the profile until we were ready to conduct remediation actions. The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft. Timestamps for the suspicious activity flagged by MS ATA are (all times GMT+2): On Oct 4, we observed this activity again. When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.Īfter further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider. ![]() However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. ![]() The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. This included collaborating with the Czech intelligence agency, Security Information Service (BIS), and an external forensics team to provide additional tooling to assist our efforts and verify the evidence that we were collecting. On September 23, we identified suspicious behavior on our network and instigated an immediate, extensive investigation. It is therefore not so surprising that we ourselves could be a target. At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. Avast deploys hardened self-defense and wider intelligence industry collaboration
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |