Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More

Stories from the SOC – Inactive Account Exploitation

Read Time:3 Minute, 41 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.

The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world.  The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.

Expanded investigation

Events search

A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.

Event deep dive

Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.

 Reviewing for additional indicators

Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.

Response

Building the Investigation

With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.

Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.

Customer interaction

The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.

Read More

Red vs. blue vs. purple teams: How to run an effective exercise

Read Time:46 Second

In the arsenal of cybersecurity defenses is the exercise that goes by the name of red team/blue team simulated attack. These simulations are designed to closely mimic real-world conditions. For example, one red team member might take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

Let’s talk about the red and blue designations. Red team members usually play the role of attackers and try to overcome security protocols. They use the same tools and techniques that attackers use, similar to how penetration testers operate but on a much broader scale.

To read this article in full, please click here

Read More

Red vs. blue vs. purple teams: How to run an effective exercise

Read Time:46 Second

In the arsenal of cybersecurity defenses is the exercise that goes by the name of red team/blue team simulated attack. These simulations are designed to closely mimic real-world conditions. For example, one red team member might take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

Let’s talk about the red and blue designations. Red team members usually play the role of attackers and try to overcome security protocols. They use the same tools and techniques that attackers use, similar to how penetration testers operate but on a much broader scale.

To read this article in full, please click here

Read More

22 cybersecurity myths organizations need to stop believing in 2022

Read Time:34 Second

The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The hybrid working model, fast-paced digitalization, and increased number of ransomware incidents have changed the security landscape, making CISOs’ jobs more complex than ever.

This convoluted environment requires a new mindset to defend, and things that might have held true in the past might no longer be useful. Can digital certificates’ expiration dates still be managed in a spreadsheet? Is encryption ‘magic dust’? And are humans actually the weakest link?

Security experts weigh in the 22 cybersecurity myths that we finally need to retire in 2022.

To read this article in full, please click here

Read More

22 cybersecurity myths organizations need to stop believing in 2022

Read Time:34 Second

The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The hybrid working model, fast-paced digitalization, and increased number of ransomware incidents have changed the security landscape, making CISOs’ jobs more complex than ever.

This convoluted environment requires a new mindset to defend, and things that might have held true in the past might no longer be useful. Can digital certificates’ expiration dates still be managed in a spreadsheet? Is encryption ‘magic dust’? And are humans actually the weakest link?

Security experts weigh in the 22 cybersecurity myths that we finally need to retire in 2022.

To read this article in full, please click here

Read More