FOCUS MODE
EXTRACT IOC
Threat Research

Threat Hunt Report: Public Exposure

iocOne
Threat Hunt Report: Public Exposure
This article discusses the findings of a cybersecurity investigation into a virtual machine (VM) that was inadvertently exposed to the public internet. It highlights the identification of brute-force login attempts by adversaries and the implementation of security measures to mitigate these threats. Importantly, no unauthorized access was confirmed despite the attacks. Affected: Virtual Machines, External Adversaries, Shared Services Infrastructure

Keypoints :

  • The security team conducted an investigation into VMs within a shared services cluster to identify exposure to the public internet.
  • The analysis aimed to assess whether unauthorized access was attempted or achieved via brute-force authentication attacks.
  • Logs were evaluated to identify patterns of failed login attempts and any potential security misconfigurations.
  • Despite numerous brute-force attempts, no unauthorized access was successfully recorded.
  • We identified multiple MITRE ATT&CK framework techniques relevant to the investigation.
  • Several recommendations for enhancing security measures were provided after the investigation concluded.

MITRE Techniques :

  • T1133 — External Remote Services: The VM’s configuration allowed remote access via RDP, increasing risks of unauthorized access.
  • T1110 — Brute Force: Logs showed multiple failed login attempts, indicating a systematic credential guessing attack.
  • T1595 — Active Scanning: The detection of brute-force attempts suggests that adversaries initially scanned for open services.
  • T1078 — Valid Accounts: All attempted successful logins were associated with the legitimate “labuser” account.
  • T1583 — Use of Compromised Infrastructure: Login attempts originated from potentially compromised hosts suggesting a distributed attack strategy.

Indicator of Compromise :

  • [IP Address] 89.248.172.39
  • [IP Address] 83.118.125.238
  • [IP Address] 77.90.185.229
  • [IP Address] 77.90.185.230
  • [IP Address] 194.0.234.22

Full Story: https://medium.com/@stevenrim/threat-hunt-report-public-exposure-715f1befb669?source=rss——cybersecurity-5

Tags: HUNT, SIEM, PHISHING, CREDENTIAL, DISCOVERY, CRITICAL INFRASTRUCTURE, EXPLOIT, HUNTING