Introduction
Hello and welcome to my latest blog post! In today’s article, I’ll be delving into an intriguing SOC (Security Operations Center) Alert from LetsDefend, a renowned platform known for its innovative approach to cybersecurity training. LetsDefend offers a hands-on learning experience, providing simulated environments and realistic scenarios that help cybersecurity professionals hone their skills in identifying and responding to various cyber threats. Their focus is on practical, real-world applications, making it an invaluable tool for those looking to stay ahead in the ever-evolving world of cyber defense. Join me as we dissect this particular SOC Alert, exploring its nuances and understanding how to effectively address such cybersecurity challenges.
In today’s analysis, we’re going to delve into a challenge involving a suspected SQL Injection payload found in a specific URL. The URL under scrutiny is:
https://172[.]16[.]17[.]18/search/?q=%22%20OR%201%20%3D%201%20--%20-
We will explore the intricacies of this link and understand how it might be used as a part of an SQL Injection attack.
The true purpose of the link is concealed through the use of an encoding technique. This tactic is often employed by attackers to mask their malicious objectives and bypass established security measures. Nevertheless, in this instance, our SIEM (Security Information and Event Management) system successfully identified the potential breach, flagging it for further examination by a SOC Analyst.
The SIEM system successfully decoded the encoding method used in the link, revealing that its actual purpose was to execute an SQL attack. This was evident from the URL, which contained the phrase “OR 1 = 1”, a classic indicator of an SQL injection attempt.
We have the capability to demystify the link by utilizing a URL decoder website, which reveals its contents post-deobfuscation. For this purpose, we can employ CyberChef, an effective online tool. CyberChef is renowned for its ability to perform a wide range of operations, from simple encoding and decoding to more complex tasks like data analysis and encryption. It serves as a versatile resource in cybersecurity and digital forensics, making it an excellent choice for unraveling obfuscated links.
https://172[.]16[.]17[.]18/search/?q=" OR 1 = 1 -- -
The Case Analysis
With this comprehensive understanding of the alert in hand, we are now well-prepared to initiate the case and delve deeper into analyzing the situation.
Understand Why the Alert Was Triggered
We have scrutinized the rule name and comprehended its implications, understanding the attacker’s strategy to exploit a vulnerability for unauthorized system or data access through an SQL Injection attack.
The SQL Injection attack’s source IP address is 167[.]99[.]169[.]17 and the destination IP address is 172[.]16[.]17[.]18.
We can identify the destination IP address as WebServer1001 according to our Endpoint Security database.
Additionally, we are able to trace all the network activities originating from the source IP address. Numerous requests were made through port 443 to WebServer1001. The decoded versions of these requests are as follows:
https://172[.]16[.]17[.]18/search/?q=1' ORDER BY 3--+
https://172[.]16[.]17[.]18/search/?q=' OR 'x'='x
https://172[.]16[.]17[.]18/search/?q=' OR '1
https://172[.]16[.]17[.]18/search/?q=%27
https://172[.]16[.]17[.]18/
https://172[.]16[.]17[.]18/search/?q=" OR 1 = 1 -- -
Collect Data
We will now conduct additional research on the source IP address to further evaluate its reputation.
We can identify the IP address as belonging to DigitalOcean, LLC, as identified on Whois.com (https://www.whois.com/whois/167.99.169.17).
This detail is significant because DigitalOcean is a popular cloud infrastructure provider that offers various services, including virtual servers (droplets), managed databases, and scalable storage solutions. The nature of DigitalOcean’s services allows individuals and organizations to quickly deploy and manage virtual servers. However, this ease of access can also be exploited by malicious actors who may use these services to launch cyber attacks, due to the relative anonymity and flexibility provided by cloud infrastructure platforms. As a result, identifying an IP address associated with DigitalOcean requires careful consideration, as it could be either a legitimate user or someone exploiting the platform for nefarious purposes.
Moving forward, we will conduct a more thorough investigation of the IP address by utilizing additional cybersecurity research websites.
- VirusTotal (https://www.virustotal.com/gui/ip-address/167.99.169.17/)
- Cisco Talos (https://talosintelligence.com/reputation_center/lookup?search=167.99.169.17#ip-addresses)
- AbuseIPDB (https://www.abuseipdb.com/check/167.99.169.17)
Each of these websites reported a neutral to malicious reputation rating against the IP address.
The findings from VirusTotal further underscore the potential risks associated with the IP address. Several security vendors have flagged the IP as ranging from suspicious to outright malicious. Additionally, there are multiple comments indicating that this IP address has been involved in SSH (Secure Shell) attacks. These attacks were reportedly carried out either through brute force methods, where attackers repeatedly try different credentials to gain access, or by using stolen credentials.
The information from Cisco Talos adds another dimension to our understanding of the IP address in question. According to their report, the reputation of the IP address is currently categorized as neutral. However, they also note a medium level of spam activity originating from this IP.
The data from AbuseIPDB further corroborates the suspicious nature of the IP address, with a range of user reports highlighting SSH login attempts. These reports predominantly detail numerous failed authentication attempts, indicative of potential unauthorized access attempts. Such patterns of behavior, especially repeated failed logins, are often associated with brute force attacks or attempts to use compromised credentials. This consistent theme across different cybersecurity platforms emphasizes the need for heightened awareness and potentially increased security measures regarding interactions with this particular IP address.
Examine HTTP Traffic
Given our analysis, it’s evident that the traffic originating from the source IP address aligns with typical SQL Injection techniques. This conclusion is drawn from the patterns and characteristics of the requests, which match known methods used in SQL Injection attacks. This type of attack involves manipulating standard SQL queries to exploit vulnerabilities in a database system, and the specific nature of the traffic from this IP address clearly indicates such malicious intent.
Is Traffic Malicious?
Based on the comprehensive investigation conducted, we can confidently conclude that the traffic coming from the source IP address is indeed malicious. The evidence, gathered from various reliable cybersecurity sources and our analysis of the traffic patterns, points to a consistent use of SQL Injection techniques and other suspicious activities such as SSH attacks and spam emissions. This combination of factors solidifies our assessment of the nature of the traffic as malevolent.
What Is The Attack Type?
Our analysis has led to the determination that the primary attack vector in this incident is an SQL Injection.
Check If It Is a Planned Test
Based on our investigation, we found no indications to suggest that this alert was triggered as a false positive due to a penetration test. The evidence gathered and analyzed points towards a genuine security threat, rather than a controlled testing scenario.
What Is the Direction of Traffic?
Our investigation revealed that the source IP address is linked to Digital Ocean LLC, indicating that the malicious traffic originated from an external cloud infrastructure provider. This means that the direction of the malicious activity was from the Internet towards the Company Network.
Check Whether the Attack Was Successful
Upon careful examination of the command history from WebServer1001, it’s evident that the attack was unsuccessful. There is no trace of any malicious commands being executed on the server. This finding indicates that the server’s security protocols were robust and effective in preventing the attempted intrusion, thus ensuring that no unauthorized or detrimental activities were conducted on the system.
Additionally, according to our log management system, the HTTP Response Status associated with the request was 500. This typically signifies a server error, which in this context, could suggest that the server encountered an unexpected condition that prevented it from fulfilling the request. This response status further supports the conclusion that the attack did not succeed in compromising the server’s functionality.
Investigation Artifacts
- Source IP Address – 167[.]99[.]169[.]17 – IP Address
- Destination IP Address – 172[.]16[.]17[.]18 – IP Address
- Malicious URL – https://172[.]16[.]17[.]18/search/?q=%22%20OR%201%20%3D%201%20–%20- – URL Address
Do You Need Tier 2 Escalation?
Tier 2 escalation is not necessary in this instance since the attack was unsuccessful.
Analyst Note
Understanding the Alert
The alert was triggered due to the presence of an SQL Injection pattern in the URL, a common tactic for unauthorized system or data access. The source IP is 167[.]99[.]169[.]17, targeting our WebServer1001 at 172[.]16[.]17[.]18. Network activities from this source IP show several requests, all resembling suspicious techniques.
Collecting Data
Further investigation into the source IP, which is registered to DigitalOcean, LLC, reveals its potential dual nature – it could be a benign user or a malicious entity exploiting the cloud’s anonymity. The reputation of this IP across various platforms like VirusTotal, Cisco Talos, and AbuseIPDB ranges from neutral to malicious, with indications of SSH attacks and spam activities.
Success of the Attack
Analysis of the command history and log management system reveals that the attack was unsuccessful. The server’s robust security measures and a resulting HTTP 500 error indicate that no malicious commands were executed, and the server’s integrity remains intact.
Close the Alert
The alert in question was a true positive, necessitating a thorough investigation to ascertain both the intent and the effectiveness of the attack.
Conclusion
As we conclude this deep dive into the SOC Alert from LetsDefend, several key insights have emerged. We encountered a SQL Injection attack aimed at WebServer1001, designed to exploit vulnerabilities for unauthorized access. Fortunately, our investigation revealed that the attack was effectively neutralized, with no compromise to the web server’s security.
Our analysis, bolstered by tools like CyberChef and insights from cybersecurity databases such as VirusTotal, Cisco Talos, and AbuseIPDB, highlighted the complex nature of cyber threats in today’s digital landscape. The source IP address, linked to Digital Ocean LLC, was instrumental in directing malicious traffic from the Internet to the Company Network. However, despite its malicious intent, the attack did not achieve its objective.
The robustness of WebServer1001’s security protocols was clearly demonstrated, as evidenced by the lack of any malicious commands in the command history and the HTTP Response Status of 500, indicating a server error rather than a security breach.
This incident underscores the importance of continuous vigilance and sophisticated security measures in the ever-evolving battle against cyber threats. It’s a testament to the effectiveness of proactive monitoring and rapid response capabilities in identifying and mitigating potential attacks.
In closing, this analysis affirms the value of comprehensive security practices and the need for constant adaptation to the dynamic nature of cyber threats. It’s a reminder that in the digital realm, preparedness and knowledge are our most potent weapons against the myriad of cyber threats we face daily.