Here’s a blog entry on incident management.
At Red Cloud IT, there was an alert from the intrusion prevention system that made me aware that an IP address from an east European country was trying to login in to our systems.
Now, in all honesty, usually we let our brute force prevention systems automatically take care of these things when it’s an IP address from outside Sweden.
For instance we rarely follow up anything from countries such as Korea or China if we don’t immediately see that the IP address belongs to a Swedish company or the Swedish Government in which case we try to contact them and alert them of a possible security problem. Professional courtesy
If it’s one our competitors we actually also alert them, as a professional courtesy and this has happened quite a few times so far actually.
Our systems save everything in a local database so we can always go back and report incidents afterwards should we need to investigate something more thoroughly if the attack was from let’s say China or some other country we have no business in.
The thing made us a bit more interested in this specific intrusion attempt was the DNS domain name reported , ***.*******.** (this is automatically reported in the email reports we get when an intrusion attempt is made so it was very easy to see that this differed from the usual background noise on the Internet )
A quick look with a web browser pointed us to the homepage-address of the ******* Parliament and this is where it started to get really interesting.
I followed up more on the IP address and the attacking source address appears to be a Microsoft Exchange 2010 Server that handles the mail for ******* Parliament.
As a service to the IT department handling their IT I wanted to get in contact with them and point out to them they may have been breached, hacked or infected with a virus causing these brute force attempts against our systems. I really don’t believe they would have any interest in
trying to hack us so one of the three previous alternatives is more likely.
First I tried to get contact info from the http://***** site but with no luck.
Second, I called the Swedish organization DataInspektionen to see if they knew whom I could talk to but according to them this was a police matter.
I don’t want to criticize any authority or anything but my general feeling is that if we go to the police, report this and they start working on it will probably take weeks or months before the information actually reaches the people that are the most in need of it, meaning the IT staff at the ****** Parliament.
The reasons why I want them to know this is of course so they can correct it as soon as possible and find out what’s actually happened and do a larger investigation to determine whether any confidential information has been leaked from them.
After all, they are the ******* Parliament so I’d expect they’d want their information secured and I guess it’s also in their job description to keep track of these things.
When I couldn’t find the contact info on the Parliaments home page and I decided not to get in touch with the Swedish Police, I came to think of the ****** Embassy in Sweden.
I “Googled” the ******* Embassy and came to a website called http://***** that actually didn’t feel very official. It feels more like a traveling agency and after reading more carefully on it I found a link stating that the Embassy web address had changed to http://*****/****/sweden .So, I went there and found an email address to use (****.***@***.**) .
I sent an email with the following content.
==== Begin mail
Tue 5/7/2013 10:59
Subject: Hi. Possible security breach in your IT systems at ***.***.**.** (****.******.**) [*****]
Please do not disregard this email as SPAM or a hoax and you are more than welcome to contact me to verify this. My contact information is at the end of this email.
My name is Juha Jurvanen and I’m the CTO and partner of a Cloud Computing company in Sweden called Red Cloud IT
We have various security systems in place in order to protect our customers from intrusion attempts and one them gave us three different warnings about unauthorized intrusion attempts from a server or workstation that appears to belong to the ****** Parliament.
The reason for this email is to make you aware you may have a server or workstation on the data network belonging to the Parliament and I believe you will want to look into that since it is most likely infected with a virus that could potentially cause harm or ease drop for data traffic and that would of course be a very serious matter.
Usually, we are under attack from various companies and countries such as Korea or China and we disregard them and simply block them automatically but in this case I deemed it to be more serious since it could imply you have a security breach in your governments IT systems and that is of course far more serious than a company being hacked.
Again: Please do not disregard this email as SPAM or a hoax and you are more than welcome to contact me to verify this. My contact information is at the end of this email.
We have all log files saved for future inquiries should you need them for investigation and we are happy to help you in any way we can since we know IT security is a very serious area.
The Red Cloud IT servers attacked so far are (. I’m sure you can verify this by examining firewall logs in *******. )
**** [DNS Name and IP address of the attacked server]
**** [DNS Name and IP address of the attacked server]
**** [DNS Name and IP address of the attacked server]
Here are the blocked attacks and email alerts from Syspeace
Alert from ********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 11:03:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 11:03:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 09:02:46 *****administrator
2013-05-07 09:02:44 *****administrator
2013-05-07 09:02:42 *****administrator
2013-05-07 09:02:40 *****administrator
2013-05-07 09:02:38 *****administrator
Alert from ********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 11:34:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 11:34:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 09:33:31 *****administrator
2013-05-07 09:33:29 *****administrator
2013-05-07 09:33:28 *****administrator
2013-05-07 09:33:25 *****administrator
2013-05-07 09:33:23 *****administrator
Alert from *********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 12:28:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 12:28:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 10:27:18 ****administrator
2013-05-07 10:27:17 ****administrator
2013-05-07 10:01:58 ****administrator
2013-05-07 10:01:26 ****administrator
2013-05-07 10:01:23 ****administrator
Med Vänlig hälsning / Regards
Juha Jurvanen
Teknik- & Konsultchef / CTO CIO
Cloud Konsult
Delägare / Partner
* my contact info removed for SPAM reasons*
08-***** http://www.redcloud.se
BESÖKSADRESSER
Järnlundsvägen 31, 120 60 Årsta
Detta e-brev har sitt ursprung hos Red Cloud IT AB (556606-1833) www.redcloud.se. E-brevet och bifogat material kan innehålla konfidentiell/intellektuell egendom/upphovsrättslig information och är endast tillägnad adressaten/erna. Du är förbjuden att kopiera, vidarebefodra, bifoga spara eller på annat använda innehållet om du inte är avsedd mottagare eller ansvarig för innehållets leverans. Om du av
misstag erhållit detta e-brev, vänligen meddela mottagaren och avlägsna brevet. Red Cloud kan övervaka innehållet i e-brev inom nätverket för att säkerställa att policies och procedurer efterföljs. E-brev är känsliga för förändringar och dess integritet kan inte säkerställas. Red Cloud skall inte hållas ansvariga om meddelandet är förändrat, förfalskat eller på annat sätt manipulerat.
This email originates from Red Cloud It AB (swedish company no: 556606-1833) www.redcloud.se. This email and any attachments may contain confidential/intellectual property/copyright information and is only for the use of the addressee(s). You are prohibited from copying, forwarding, disclosing, saving or otherwise using it in any way if you are not the addressee(s) or responsible for delivery. If you receive this email by mistake, please advise the sender and cancel it immediately. Red Cloud may monitor the content of emails within its network to ensure compliance with its policies and procedures. Any email is susceptible to alteration and its integrity cannot be assured. Red Cloud shall not be liable if the message is altered, modified, falsified, or even edited.
============= End of mail
After sending this I thought that I’d also give them a call to verify that it is not a hoax and that it is pretty much for real.
I gave them a phone call and got to an answering machine that actually stated another (??) email address (**.*****@telia.com) so I sent the email
above that address also. Sorry for the mix in English and Swedish but when mailing them in Sweden, I thought Swedish would be appropriate
===== Begin mail
Tue 5/7/2013 11:25
Hej.
Jag försökte nå er tidigare via telefon och lämnade ett meddelande.
Mail adressen ni anger på telefonsvararen är inte densamma som jag mailade till nedan (som står på er hemsida)så jag mailar er på er @****.***-adress också.
MVH /Juha Jurvanen www.redcloud.se *****@redcloud.se 08-55 11 8660
After this, It was simply the mail above so it’s basically a forward.
=== End mail
After this I started investigating even more in Syspeace Access Reports Section to see if this IP Address had tried to attack us earlier and, sure enough it had.
=== Begin mail
Tue 5/7/2013 12:02
En mer noggranna undersökning ger vid handen det torde vara en Exchange 2010 (mailserver alltså) server man når när man går till den webadressen.
Om den blivit hackad så kan det betyda att någon utomstående har tillgång Parlamentets alla mail viket torde ses allvarligt på.
Det kan också vara en arbetsstation “bakom” så det behöver inte vara servern men oavsett så är det absolut en incident för IT säkerhetsavdelning att titta på.
Forskade lite mer kring hur länge den försökt logga in mot våra system och det visar sig den gjort igår kväll. Här kommer en sammanställning från en av servrarna som attackerats,
FromIPAddress Date Success Origin Account Extra
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:14 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:03 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:03 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 09:33 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:27 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:27 No Windows ****administrator 10 – Remote interactive
=== End mail
That is basically all of the conversation so far with them, meaning I’ve got no acknowledgment from them so far that they have received this from me nor that they want more information if we have (log files and stuff).
The things that puzzle me in a scenario such as this, considering who they actually are (Parliament and all for a country) , are that how long have they actually had this problem ? How are their incident management routines set up? Shouldn’t a possible data security breach be quite high up on the list of things to take care about?
We’ve actually had few tries even after I sent these emails and phoned their embassy so obviously the problem hasn’t been sorted out yet.
Now, this doesn’t have to mean that it is their mail server that’s been compromised; it could just as well mean that it’s a workstation on that network, using the IP address of the mail server as default gateway. It’s absolutely impossible for me to find out and it’s only possible to get this info on their side and examine firewall logs and so on.
The point is still that if any company or Government for that matter is alerted they have a possible security breach I would imagine that the routines would be
1. Verify the source of the alert (so it’s not an elaborate attempt to gain access to systems)
2. Start investigating of what has happened, fix the breach and secure relevant data
3. Alert the police and start finding the culprit
If there’s any more development in this, I’ll let you guys know
2013-05-08 I had a check and the attack has stoped. Unfortunately7, this doesn’t really tell me whether they actually acknowledged my alert or if it is simply hat the compromised server or workstation was part of a bot-net and it has simply given up and moved along in some predefined brute-force list. I’ve still got no feedback from ******** (yep, I won’t state the country here since I do want to visit it someday. It looks beautiful *grin*)
