By Mike Rodriguez, IT Manager, City of Webster, TX
Imagine sitting down with your morning coffee and you start getting multiple requests from users stating their account is locked out and need it unlocked. Once the account is unlocked, it would lock again within minutes. “Why is this happening?!?” you might ask yourself. You reach out to your cybersecurity team and your worse fear becomes a reality: You’ve been compromised.
This was my reality a few months back. The feeling of my heart dropping when I heard the news; the thoughts racing in my head of how it happened, what is the fall out, how to stop it and how to prevent it in the future elevated my heart rate and added to an already busy and stressful day. After it was all said and done, we discovered that it was a brute force attack that was attacking our network. But why us? I mean we are a small 7 square mile suburb of Houston. Turns out, no matter the size of your city’s population, square miles, or social make up, you are a target.
These brute force types of attacks are nothing new. CISA’s Alert Code TA18-086A, states that on February 18 of 2019, 9 Iranian Nationals we indicted on these types of attacks. Furthermore, on July 21, 2021, the NSA sent out a press release stating that from mid-2019 and likely ongoing “Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS (Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center) uniquely leveraged software containers to easily scale its brute force attempts”. These attacks are ongoing and it’s only a matter of time until it hits your network.
So how did it happen on our network? Utilizing our SIEM (Security Information and Event Management) solution and the help of some third-party cybersecurity-as-a-service companies, we were able to determine the attacks were happening on our Remote Access VPN (RAVPN). The bad actors would throw every username and password combination from their libraries at us to try to gain access. We immediately shut down the RAVPN and focused on what damage was done. Through a forensic analysis, we determined that nothing was executed nor anything exfiltrated out of our network. All they got was some password hashes which were fixed via password changes. We shut down the attack and dodged a major bullet.
Now how could this have been prevented? Well, my fellow colleges, it is quite simple. Get back to the basics! Review password policies and enforce strong passwords. Change passwords regularly. Use service accounts for servers and not privileged accounts. Use least privileged accounts for day-to-day work and escalate using privileged accounts. Stop using shared accounts. Enable Multifactor Authentication (MFA) on all feasible computers, servers, and access to the network. Patch your systems in a timely manner. Monitor your network for irregularities.
We did not have MFA on our RAVPN, which allowed the brute force attack to be successful. Luckily, we caught it in time and were able to minimize the impact.
We have a duty to protect our networks, data, and infrastructure from these types of attacks. We owe it to not only our coworkers, but also the constituents that we provide services to. Let’s get back to the basics and give ourselves the best posture to defend against these attacks.