Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
One of the primary ways that adversaries gain access to environments is through valid credentials. Because of this, maintenance and auditing of user accounts is an integral part of maintaining a good security posture. When an employee leaves a company or organization, it is important that all associated accounts be removed and permissions revoked. If these accounts are not removed, they are a potential avenue for attackers to enter a network. Attackers often leverage compromised accounts to gain a foothold in an organization’s environment and move across the network, while remaining hidden. Upon entry, threat actors can elevateuser privileges and cause serious harm to the organization such as sabotaging critical infrastructure or exfiltrating confidential or intellectual property.
The AT&T Managed Threat Detection and Response (MTDR) SOC analyst team received an alarm for a successful logon to Office 365 from a foreign location for a customer. After investigating, we discovered the account belong to an ex-employee of that organization that was not properly deactivated. An attacker was able to exploit this vulnerability and gain access to the account through brute force from sources all over the world. The team quickly reacted to the threat and assisted the customer in containing it while mitigating follow-on actions.
Initial alarm review
Indicators of Compromise (IOC)
The initial alarm was triggered from a custom rule alerting the MTDR analysts that the customer had a user successfully log-in to Office365 from a foreign country. Custom alarms can be created by the MTDR team and are tailored specifically to customer requests. These custom alarms can improve early warning signs of a potential attack specific to the customer’s environment.
A review of the event log indicated that the user successfully logged in from a foreign country. While this may not seem suspicious, it’s not often we observe logins from different parts of the world for this customer. With the adoption of work-from-home environments across many organizations, it’s almost every day we see foreign or multiple source country logins. However, regardless of how routine this seems, it is critical that security professionals perform their due diligence with this type of activity. To rule out the possibility of a compromised account, the team broadened their investigation to gather more information.
Event deep dive
Depending on the designed MTDR rule, any outside location will be considered an anomaly. Upon further review of the user’s history, the team discovered there was no activity within the last 90 days. No activity for short periods of time is not necessarily abnormal, but it was suspicious for a user to have absolutely zero activity for 90 days, only to log back in from multiple countries. In fact, we found that almost 1,000 failed login attempts from malicious IP addresses from 49 countries were made against the user’s account.
Reviewing for additional indicators
Shortly after gaining access to the account, the attackers pivoted to the user’s personal SharePoint, but it did not appear that the attackers were able to gain access to anything confidential. Additionally, there was no evidence that attackers were able to move laterally in the network, escalate privileges, or gain access to other confidential or sensitive information beyond the initial access.
Building the Investigation
With all the evidence gathered, it was critical that we contact the customer as soon as possible. We quickly assembled the investigation and reached out to the customer.
Shortly after contacting the customer, the SOC observed the attacker gaining access from another country. This new evidence suggests that the attacker was attempting to escalate and we needed to work quickly with the customer to contain the threat and prevent any potential lateral movement.
The customer was able to revoke the credentials and disable the user account, and confirmed the targeted user was a former employee of the organization. This confirmation from the customer only added more validity to our concerns when we previously observed blank activity for 90 days from the user. While the attack did not escalate any further, this highlights the importance of maintaining and auditing the users in your environment.