Photo credit: www.csoonline.com

Analysis of Recent Cyber Intrusions by Arctic Wolf

Recent observations by Arctic Wolf have brought to light concerning patterns in login events associated with cyber intrusions. The attackers employed spoofed source IP addresses during their activities, including the local loopback address 127.0.0.1 and public DNS resolver IPs from major providers, such as Google and Cloudflare (1.1.1.1, 2.2.2.2, 8.8.8.8, and 8.8.4.4). In certain instances, the attackers neglected to properly disguise their origin, inadvertently exposing addresses that linked back to a virtual private server (VPS) provider.

The initial phase of these attacks involved a series of brief login and logout attempts that appeared random and targeted a wide range of organizations across different industries. After this initial reconnaissance, the attackers revisited the compromised systems to implement configuration changes. These changes began with modifications to display settings that govern output across multiple pages in the jsconsole.

Subsequently, the attackers escalated their activities by creating new superadmin accounts, often employing naming patterns of five to six characters. Utilizing these superadmin privileges, they established as many as six local user accounts on each device, again following a similar naming convention. These accounts were integrated into existing user groups that had SSL VPN access, effectively expanding the attackers’ foothold within the target networks. In some reported cases, they also seized existing accounts or reset the password for guest accounts, adding these to the SSL VPN group as well.

This series of events highlights the sophisticated strategies employed by cyber attackers in infiltrating systems, making it imperative for organizations to bolster their cybersecurity measures and monitor user account activities closely.

Source
www.csoonline.com