Stories from the SOC - Web Server Attack
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Threat Detection and Response customers.
During the Investigation of a Web Server Attack alarm for a large multinational enterprise Customer, we conducted an Investigation that inevitably led to the customer isolating the system entirely. The sophistication of the Correlation Rules developed by the LevelBlue Alien Labs™ team recognized patterns that indicated an attack on the web server. Armed with the information presented by the alarm itself, we then expounded on those details which lead to the customer being informed that a public-facing server was actively vulnerable. While personally interfacing with the Customer, they conveyed they were unaware of this system being open and hastily took corrective measures; thus, resulting in the isolation of the vulnerable system.
Investigation
Initial Alarm Review
Web Server Attack – Multiple Web Attacks Alarm
The initial alarm surfaced as the correlated result of multiple Apache Struts Dynamic Method Invocation Remote Code Execution events. As detailed within the image below, this attack intent is associated with the Delivery & Attack phase of the Cyber Kill Chain®.
Figure 1 - Initial Alarm
Alarm Detail
Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this particular attempt on the customer’s system. The synopsis for this attack technique is defined as the “… use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.”. To better understand the vulnerability profile of the asset in question, I executed an authenticated vulnerability scan within USM Anywhere. The results indicated several Apache HTTP server vulnerabilities. Following the completion of my reconnaissance efforts, I presented the actionable information to the customer.
Response
Figure 2 – Analyst Comments
Customer Response(s)
Two members of our Customer’s staff reviewed the analysis that I provided, confirmed my trepidations pertaining to the active vulnerabilities, and shared the subsequent steps to be taken to remediate this activity. The NAT was removed, and the Public IP was discontinued.
The customer’s staff provided supplementary detail about the exposed and vulnerable system and the means by which he resolved continuing activity. The analyst indicated the targeted device was a digital video recorder (DVR) system that physically resided within one of the Customer’s warehouses and then outlined the actions taken to mitigate the risk:
- The publication rule of the Watchguard in the warehouse was eliminated
- The secondary public IP from the Watchguard configuration was removed
- The public IP of origin of the attack on the Watchguard was blocked
- Geolocation blocking from the foreign country to our entire network in the region was enabled
- The DVR was isolated until the vulnerabilities were mitigated
- A VLAN for exclusive isolation to all DVRs in the region was created
Although it is impossible to know the true intentions of the attacker(s), one could presume it was a deliberate attempt to compromise a DVR asset in order to perform surveillance on a physical intrusion target.