This blog was jointly authored by Josue Gomez
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
One of the benefits of having your managed detection and response (MDR) service managed by AT&T Cybersecurity is the visibility into threats from a large number of customers of all sizes and across different industries. This allows the team to take what they learn from one customer and apply it to another. Our security operation center (SOC) analysts were able to use an OTX alarm and an AWS correlation rule to discover open ports on public facing servers for two different customers in 24 hours.
Initial Alarm Review
Indicators of Compromise (IOCs)
In a 24-hour period the AT&T SOC analyst team identified open port vulnerabilities which malicious actors were attempting to exploit on two different customer instances. While the environments of these two customers are very different, the sensors that are deployed as part of the AT&T Unified Security Management (USM) platform provide flexibility and help customers to stay protected across multiple platforms.
Customer 1’s initial alarm is below. In addition to the OTX indicator, the fact that the alarm was based on a public URL and the event outcome was “Accept” led our analyst team to speculate that the alarm was accurately indicating a successful system compromise.
The Customer 2 initial alarm came in when an IP located in a foreign country was observed attempting to brute force authenticate via SSH port 22 on one of Customer 2’s cloud-based security management servers.
Unlike Customer 1 who has a primarily on-premises environment, Customer 2 has a largely cloud based infrastructure. The analyst team performed a deep dive into the targeted AWS cloud asset and observed logs showing multiple IPs located in the foreign country attempting to establish a connection over the open vulnerable port.
In the case of Customer 1, the analyst team determined the IP identified by OTX had been scanning multiple public facing assets in the hours before the alarm was triggered. Logs indicated the malicious actor was focusing on scanning for a Telnet service until they found an open Port 23, at which point scanning ended. A search for that malicious IP on the destination side showed an outbound connection from Customer 1’s web server with an “Allow” outcome, confirming a two-way connection had been established over Telnet. The analyst team communicated the details of the investigation to Customer 1 and recommended they close all the server’s ports, aside from Port 80 and Port 443, as is the best practice for a public facing web server.
For Customer 2, the team prioritized the malicious activity on their AWS instance as High severity and quickly jumped on a call to inform the customer of the SSH brute-force attacks occurring against one of their internal cloud assets. The built-in Amazon Guard Duty plugin, paired with the cloud monitoring capabilities available in the USM platform, allowed the team to capture this malicious activity in real time. After reviewing the investigation with the customer and detailing the dangers of having a port open to the internet such as SSH, the customer quickly realized this as a misconfiguration on their end. The customer took the recommendation of our analyst team and instructed their AWS administrators to close the open port.
Building the investigation
The timeline for Customer 1’s incident from alarming and analysis to notification took 90 minutes. From time of discovery of Customer 2’s attack to remediation steps put in place, the AT&T Cybersecurity platform and team was able to alarm, investigate and respond to the threat in 70 minutes. Both investigations resulted in the hardening of a public facing server (one on premise, and one in the cloud) to help prevent further incidents. The two separate incidents showcase the value and flexibility AT&T Cybersecurity brings to any network environment.