Introduction
Hello, and thank you for joining me in my latest blog entry! Today, we’re delving deep into a particularly intriguing Security Operations Center (SOC) Alert from LetsDefend, a platform renowned for its forward-thinking approach to cybersecurity training. LetsDefend stands out in the crowded field of cybersecurity with its commitment to providing a hands-on, immersive learning environment. They offer simulations and real-life scenarios that are critical for cybersecurity professionals to hone their skills in detecting and managing a broad spectrum of cyber threats. This focus on practical, real-world applications is what makes LetsDefend an indispensable tool for those keen on staying ahead in the ever-evolving cybersecurity landscape.
In this installment, we’re focusing on an alert that rings serious alarms: a Possible IDOR (Insecure Direct Object References) Attack Detected on my blog. This type of attack occurs when an attacker can access data belonging to another user by manipulating the reference to an object, such as a file or database key. It’s a subtle yet potentially devastating security flaw that can lead to unauthorized access to sensitive data.
Here’s a breakdown of the key information the alert provides, helping us understand the intricacies of the potential compromise:
- Hostname of Potentially Compromised Computer: The alert pinpoints ‘WebServer1005’ as the machine under threat. This specific hostname helps in quickly identifying and isolating the affected system in a network, preventing the spread of any potential harm.
- Destination IP Address: Identified as ‘172[.]16[.]17[.]15’, this is where the malicious requests are directed. Understanding the destination IP is crucial in tracing the attack’s path and determining what data or services might be targeted.
- Source IP Address: The attack originates from ‘134[.]209[.]118[.]137’. This information is vital for tracking the attack source, initiating a block on further requests from this IP, and possibly uncovering the attacker’s location or network.
- HTTP Request Method: The method used is ‘Post’, indicating that data is being sent to the server.
- Requested URL: ‘https://172[.]16[.]17[.]15/get_user_info/‘ has been targeted repeatedly. This specific URL might hold significance, possibly leading to sensitive user information, making it a critical focus area for security teams.
- User Agent: The alert shows ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)’ as the user agent. This old browser version could be a tactic used by attackers to disguise their activities as legitimate traffic.
- Alert Trigger: What set off the alert was ‘consecutive requests to the same page’. This pattern is often a red flag, indicating an automated script or a user repeatedly trying to access or exploit a particular part of the system.
Each of these bullet points contributes to a comprehensive understanding of the attack, enabling cybersecurity professionals to construct a detailed response plan. By analyzing this information, we can pinpoint the attack’s origin, method, and target, and take informed steps to mitigate the threat and strengthen our defenses.
The Case Analysis
Now we’re all set to commence the analysis of this potential IDOR Attack Detected.
Understand Why the Alert Was Triggered
We’ve meticulously examined the rule name and grasped its significance, discerning the assailant’s tactic to leverage a weakness for data intrusion via an IDOR Attack.
The IDOR Attack’s origin is pinpointed at the source IP address 134[.]209[.]118[.]137, with the targeted destination IP address being 172[.]16[.]17[.]15.
Referring to our Endpoint Security database, we recognize the destination IP address as belonging to WebServer1005, marking it as the focal point of this security concern.
Collect Data
We will now undertake an examination of the source and destination IP addresses to gain a more comprehensive insight into the circumstances.
We will initiate our investigation starting with the source IP address, identified as 134[.]209[.]118[.]137.
The IP address has been recognized as associated with DigitalOcean, LLC, according to the details provided on Whois.com (https://www.whois.com/whois/134.209.118.137).
This detail is noteworthy, especially given our past observations with previous alerts. DigitalOcean is a widely recognized cloud infrastructure provider known for its array of services, including virtual servers (droplets), managed databases, and scalable storage solutions. The simplicity and speed with which individuals and organizations can deploy and manage virtual servers through DigitalOcean’s services are commendable. However, these same features can also be misused by malicious entities who might leverage the platform’s relative anonymity and flexibility to conduct cyberattacks. Consequently, when we encounter an IP address linked to DigitalOcean, it necessitates a discerning analysis to determine whether it’s a legitimate user or a malicious actor exploiting the platform. Our previous experiences with such scenarios underline the importance of this consideration.
Progressing, we will delve deeper into the IP address analysis by leveraging other cybersecurity research platforms for an enhanced investigation.
- VirusTotal (https://www.virustotal.com/gui/ip-address/134.209.118.137)
On the VirusTotal page for the IP address 134[.]209[.]118[.]137, several security comments have been made by the user Pois0nEy3, providing insights into potentially malicious activities associated with this IP. They reported that there were numerous attempted SSH login attempts with different login ID’s used. These repeated unauthorized attempts to access servers via SSH indicate a pattern of behavior consistent with a probing or brute-force attack, where an attacker tries various credentials to gain unauthorized access. These comments are significant as they provide a record of suspicious activity associated with this IP address, contributing to its reputation as potentially malicious.
- Cisco Talos (https://talosintelligence.com/reputation_center/lookup?search=134.209.118.137)
According to the Cisco Talos Intelligence website, the IP 134[.]209[.]118[.]137 has a poor sender reputation and is associated with critical spam levels, indicating a history of suspicious or potentially harmful activities.
- AbuseIPDB (https://www.abuseipdb.com/check/134.209.118.137)
Based on information from AbuseIPDB, a service enabling users to report and verify IPs for suspicious activities, this IP address has been flagged 1,543 times. With a ‘Confidence of Abuse’ standing at 9%, it signifies a moderate yet noteworthy possibility of this IP being involved in malicious activities. Numerous reports have been filed citing various instances of alleged cyber abuse linked to this IP.
All of these resources have flagged this IP address as potentially harmful; we’ll bear this in mind moving forward.
In our Log Management system, we now have the capability to pinpoint every request that triggered the IDOR alert. By examining each request, we observe the variation in POST parameters. Additionally, by reviewing the request URL, we can confirm that the attacker aimed to access user information. Crucially, the HTTP Server Response Status was 200, indicating that the attacker’s request to the URL and parameters was successful. The server issued HTTP responses with sizes varying between 158 and 351. This implies that sensitive data was likely extracted from WebServer1005.
We will proceed to collect data straight from the Endpoint Security system.
- Primary User: Identified as ‘webadmin35’.
- Last Login Time: Recorded on Feb 15, 2022, at 01:43 PM.
Examine HTTP Traffic
In the preceding segment, we pinpointed five requests originating from the same source IP address targeting WebServer1005. These attempts successfully extracted user information from the server, marking them as a confirmed IDOR attack.
Is Traffic Malicious?
Based on the comprehensive research undertaken, I am confident in asserting that the traffic is malicious. Here are the reasons:
- Repeated Unauthorized Requests: Multiple requests from the same source IP targeting sensitive information.
- Suspicious Source IP: The source IP has been reported multiple times for malicious activities.
- Successful IDOR Attack: Evidenced by the successful retrieval of user data from WebServer1005.
What Is The Attack Type?
The nature of the assault in this instance is an IDOR (Insecure Direct Object References) attack. Here’s why:
- Direct Object Reference: The requests specifically targeted user information, indicative of direct object manipulation.
- Unauthorized Access: There was successful unauthorized retrieval of sensitive data.
- Pattern of Requests: A series of requests from the same IP aimed at accessing restricted information.
Check If It Is a Planned Test
No correspondence indicates any scheduled maintenance or planned activities on the server.
What Is the Direction of Traffic?
The traffic was traced back to an IP address belonging to DigitalOcean, indicating its origin from the internet.
Was The Attack Successful?
The success of the attack was previously determined based on the HTTP response code and the varying sizes of the responses.
Containment
To mitigate the impact of the IDOR attack, it’s crucial to disconnect the server from the network. This measure is taken to obstruct the attack’s access to further sensitive information.
Investigation Artifacts
- Source IP Address – 134[.]209[.]118[.]137 – IP Address
- Destination IP Address – 172[.]16[.]17[.]15 – IP Address
- Requested URL – https://172[.]16[.]17[.]15/get_user_info/ – URL Address
Do You Need Tier 2 Escalation?
Due to the successful execution of the IDOR attack, it’s imperative to escalate the issue up the chain for immediate and comprehensive response.
Analyst Note
Situation Summary: An IDOR (Insecure Direct Object References) attack has been successfully executed against our server. This incident led to unauthorized access and exfiltration of sensitive data.
Key Details:
- Affected Users: Information pertaining to user_id 1, 2, 3, 4, and 5 has been confirmed as exfiltrated from the server.
- Attack Vector: The attack originated from a DigitalOcean IP address and exploited vulnerabilities in our system.
- Server Response: The server responded with HTTP codes and varying response sizes indicative of a successful data retrieval.
- Immediate Action: The server has been isolated from the network to prevent further access and spread of the attack.
Close Alert
This note confirms the closure of the alert concerning the IDOR attack on our server. After a thorough investigation and analysis, the alert has been validated as a true positive.
Conclusion
Here are the findings from our investigation into the harmful IDOR attack.
In conclusion, our comprehensive investigation into the malicious IDOR attack has yielded critical insights and actionable steps to enhance our security measures. The findings underscore the importance of continuous vigilance and adaptive defense strategies in the face of evolving cyber threats. We remain committed to safeguarding our systems and data against such attacks. Should there be any questions or further clarifications needed regarding this incident or our security protocols, please feel free to reach out. We are here to assist and ensure a clear understanding of the situation and our response.