CASE STUDY

UnderDefense Initiates Proactive Threat Hunting and Detects Hidden Threats in the Client’s Environment

Background

The client is one of the ten largest government organizations in the U.S. financial sector. The company was already security-conscious and had several security solutions and tools, including NGAV (a modified version of EDR). Additionally, they had well-configured policies, an active directory domain, firewalls, and an in-house team to deal with emerging alerts.

The Challenge

Despite using MDR services, well-configured tools, and advanced cybersecurity measures, our client faced a series of attacks on their cybersecurity infrastructure that exceeded the capabilities of standard correlation rules.

The situation unfolded during a proactive threat hunting session conducted by analysts from UnderDefense. They detected successful VPN login attempts from locations not typical for the client, such as Finland, Lithuania, Russia, and Britain. It raised concerns and triggered a more in-depth investigation into the nature and extent of the attacks.

The investigation discovered that the malicious actors had executed brute-force attacks on default accounts (helpdesk, security, admin, guests, test, and support). Despite robust defense measures, they exploited account security misconfigurations, which posed a critical risk and provided attackers with a direct route to the client’s core environment. It left minimal time for SOC detection and even less time for the security team to respond. The adversaries gained access to an internal network remotely through downloaded VPN clients. They used a web portal to access a desktop client with a preconfigured VPN gateway address. Besides, hackers accessed real accounts by figuring out their easily predictable passwords.

After gaining access to the internal network, one unclassified malicious actor effectively scanned the client’s intranet, gathering information for future attacks. Moreover, three unclassified actors successfully accessed the system using weak passwords, raising concerns about other vulnerable users across public resources.

Unfortunately, the correlation rules, designed to identify brute force attacks, failed to detect the malicious logins due to their low intensity and frequency. The attackers successfully guessed the password within a few tries and enabled unauthorized access, avoiding detection.

Although the current defense systems suggested all was well, they also exposed the constraints of automated tools. This incident highlighted the importance of securing VPN access and the potential risks associated with compromised accounts.

 

Challenges

Results

  • No alerts were generated for brute-force attempts on the user's VPN
  • A proactive threat-hunting session to investigate and address security concerns
  • The VPN configuration was the client's responsibility, not covered by MDR, creating a potential entry point for malicious actors
  • Professional recommendations for strengthening security posture
  • Creation of additional correlation rules to address the issue

About the client

Headquarters:

Texas, USA
Industry:
Government/Finance
Project Duration:
December 2021 – Ongoing
Technologies and Tools:
QRadar
Office365 + AD
Windows Servers
Palo Alto Firewall
CortexXDR
Covered Endpoints:
1200+
Automated Rules Enabled:

547

Key Results

6

Discovered VPN accounts used by malicious actors

The Solution

After collecting evidence, the UnderDefense team launched a comprehensive investigation and promptly informed the client. The objective was to grasp the incident’s nature, identify the compromised account, and understand the access method used by the malicious actor. Due to outdated account types, identifying users and their origin — local or domain — became crucial.

Despite the discovery late at night, the client responded quickly, implementing preventive measures that blocked VPN logins from restricted countries. The investigation took approximately 10 hours, uncovering that the compromise involved an old account susceptible to access using various usernames.
Fortunately, the attacker seemed either disinterested or lacked expertise, which created the impression of a non-targeted attack. Otherwise, with VPN access and legitimate credentials inside the network, the consequences for the client could have been severe.

Below you can see the chronological sequence of events outlining the key actions taken to address the problem.

Outcomes

Embracing a proactive strategy, UnderDefense conducts regular threat hunting sessions, usually monthly or bi-monthly, each lasting several hours. The primary goal is to address any concerns the client may have based on their extensive knowledge of the infrastructure.
In situations where the client doesn’t articulate specific concerns, UnderDefense takes the lead in formulating theories and exploring ideas. These hypotheses are then put to the test to ascertain their validity. This proactive approach aims to prevent potential threats before they become real.
To continue enhancing security and prevent incidents, the client has implemented the following major recommendations provided by the UnderDefense team:

Account audit

Regular domain account audits are essential for identifying and deactivating old or unnecessary accounts. Leveraging the KnowBe4 PET tool enhances this process by detecting unused Active Directory accounts, uncovering security misconfigurations, and identifying weak passwords.

Offboarding process

A procedure that ensures employee accounts are immediately closed when they leave the company. It reduces the risk of lingering access points.

Internal password assessments

Regular assessment to identify weak passwords and replace them with strong ones to bolster overall password security.

Multifactor authentication

MFA implementation adds an extra layer of protection, making it more challenging for unauthorized access.

Password policies

Establishing and enforcing password policies that define criteria for password strength and regular updates. Also, a strong password policy on the VPN gateway is necessary for both local and domain users.

New correlation rules

Additionally, the UnderDefense team has created new correlation rules on our end. Such an approach helps regulate and automatically detect similar issues, streamlining the resolution process without requiring manual intervention.

Take control of your business security, before hackers do.