A New Type of Cyber Attack Identified by Protected Harbor
While monitoring a large client’s infrastructure last week, our techs became alerted by a series of infection notices. Rapidly taking action, we managed to stop the attacker in their tracks. However, a question remained on the minds of all of us, how did the hacker manage to break into this client’s system in the first place? We sat there wondering, how the attacker was able to break through our firewalls when so many other attackers, who try daily, fail.
At Protected Harbor, our team doesn’t just work to stop cyber security attacks; we go back to the beginning to fill in the blanks of how something like this was able to occur given our defenses. While combing through our systems, we noticed that there were a series of our servers that had been attacked and found that the source was from several IP (Internet Protocol) addresses meaning this attack wasn’t done from just one computer. This was a coordinated attack.
We then went on to search for any possible patterns that could be linked within the user IDs that were used, and sure enough, there were. In this case, it appears the attackers were using the same user ID to try and break in and that the repeatedly used ID had not been logged into the system for an extended period prior. As it turns out, this user ID that was unsuccessfully trying to log in belonged to an employee that no longer worked for the company.
According to our lead technician Nicholas Solimando, “There was an infected file that was found in the profile of a user who had been terminated. We isolated the file and removed it, and then came to find from the client that that user had been terminated along with around 4500 other names that they hadn’t told us about.”
Though the user IDs were inactive, the profiles were still present within their servers. Our team then went on to create a script that would take their list of 4500 names as an input, repeat through the list, and for each entry, scan each of their servers and remove the corresponding profile.
This helped us to work with the client to enable a notification and communication procedure between us and the HR department, solving the core issue.
Nick Solimando left us with some final solid advice for other companies who may be experiencing a similar issue and different types of cyber attacks, “Keeping up to date with your active user base is critical to reducing threat surface and keeping your systems protected.”