INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
[Guest Diary] Insights from August Web Traffic Surge
Published: 2024-11-06.
Last Updated: 2024-11-06 04:32:30 UTC
by Trevor Coleman, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Trevor Coleman, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.
The month of August brought with it a notable surge in web traffic log activities, catching my attention. As I delved into investigating the underlying causes of this spike, I uncovered some concerning findings that shed light on the potential risks organizations face in today's digital landscape.
The web honeypot log traffic, as parsed in the DShield-SIEM dashboard, served as a visual representation of the significant increase in activity. With over 62,000,000 activity logs originating from a single IP source, it was evident that something was amiss, comparatively to the second most source at 757,000. The most observed activity was directed towards destination ports 5555, 7547, and 9000, indicating a targeted effort to exploit vulnerabilities in web applications. Ports 5555 and 9000 are commonly used in malware attacks for known vulnerabilities on webservers ...
Analysis of the HTTP requests to the web honeypot revealed that the attacker exploited various known vulnerabilities. Out of the total requests, 57,243,299 (92%) were GET requests, 4,960,056 (8%) were POST requests, while there were significantly fewer PUT (18,466) and DELETE (4,150) requests. Figure 5 shows the top 5 http request methods and corresponding logs and count of each attempt. Note only 2 different PATCH request types were present ...
Read the full entry:
https://isc.sans.edu/diary/Guest+Diary+Insights+from+August+Web+Traffic+Surge/31408/
Scans for RDP Gateways
Published: 2024-10-30.
Last Updated: 2024-10-30 23:08:30 UTC
by Johannes Ullrich (Version: 1)
RDP is one of the most prominent entry points into networks. Ransomware actors have taken down many large networks after initially entering via RDP. Credentials for RDP access are often traded by “initial access brokers".
I noticed today an uptick in scans for "/RDWeb/Pages/en-US/login<.>aspx" . This is often used to expose RDP gateways, and there are even well-known Google dorks that assist in finding these endpoints. The scans I observed today are spread between several hundred IP addresses, none of which "sticks out" as more frequent than others. This could indicate a large botnet being used to scan for this endpoint.
There are three variations of this URL being used, all with the same effect of detecting the presence of an RDP gateway ...
Read the full entry: