Security report Usuario de Test

Size: px

Start display at page:

Download "Security report Usuario de Test"

Francis Stephens
5 years ago
Views:

1 Security report Usuario de Test Servidor Cloud Period: 2018/MAY/ /MAY/20

2 INDEX SUMMARY 2 Overview 3 Comparison with other users 5 Services and IPs included in this report 6 Traffic 7 Inbound and outbound traffic 8 Inbound and outbound traffic by country 8 Traffic by source IP 9 Key aspects 10 Applications 11 Applications by relevance 12 Applications by amount of threats (TOP 5) 14 Key aspects 16 Threats 17 Blocked threats 19 Key aspects 21 Logged Threats 22 Key aspects 24 Authentication 25 Key aspects 30

3 Key data 31 Network global key aspects 32 Definitions and countermeasures 33 Overflow vulnerability 34 Brute force attack 35 Code execution attack 36 Information leak risk 37 THREAT SPOTLIGHT 38 Threat Summary 39 Threats by Host 41 Host Talk to an expert 49 Need help with the report? 50

4 SUMMARY The first part of this report is a summary of the data obtained by our Next Generation Firewall, including threats, most affected hosts and other statistical data that enable your IT team to make effective decisions. Security report... 2

5 1 Overview Security report... 3

6 Below is an overview of threats detected and blocked during the last 7 days. According to the current sensitivity settings, MEDIUM, HIGH o CRITICAL profile threats have been blocked. Period: 2018/MAY/ /MAY/20 88 detected threats 86 blocked threats 66 illegitimate access attempts Security report... 4

7 Comparison with other users Below displayed is relevant data of your IT infrastructure in comparison to other clients. Network applications There is a +1100% difference between the average number of applications in your hosts and the rest of our users. This report 24 Other users 2 Average threats per host There is a -26% difference between the average number of threats of your hosts and the rest of our users. This report 88 Other users 119 Average intrusion attempts per host There is a -10% difference between the average amount of intrusion attempts to the hosts included is this report and the rest of our users. This report 66 Other users 74 Security report... 5

8 Services and IPs included in this report The table below contains a list of all hosts included in this report. SERVICE IP THREATS AUTHENTICATION FILES Servidor Cloud Security report... 6

9 2 Traffic Security report... 7

10 The traffic summary displays relevant information about data transfered to and from each host, about changes since the last report as well as a list of relevant countries, applications and protocols. Inbound and outbound traffic Shown here is data traffic of all hosts included in this report as well as the difference in comparison to the last report. Large variations might indicate suspicious activity. SERVICE IP INBOUND IN DIFF. OUTBOUND OUT DIFF. Servidor Cloud MB +97% 7 MB +92% Inbound and outbound traffic by country The segmentation of traffic by country makes it possible to detect suspicious connections. INBOUND OUTBOUND United States 50% Spain 99% Hong Kong 14% United States <1% Russian Federa 10% Poland <1% China 7% Germany <1% Ireland 5% United Kingdom <1% Security report... 8

11 Traffic by source IP Displayed are the main IP adresses with which hosts have established incoming and outgoing connections. INBOUND OUTBOUND % % % <1% % <1% % <1% % <1% Security report... 9

12 Key aspects The traffic section allows detecting anomalies that could be an indication of suspicious activity in your hosts. Each company has different activity cycles which can vary from week to week. It is for this reason that it is important to check if any changes in the results of this report correspond to a change made in the company (a campaign, an internal event, a product launch, etc.). The host with most activity this week has been Servidor Cloud. The country from which most traffic has been received was United States (inbound) and Spain(outbound). Are these countries expected? We recommend reviewing the IP addresses listed in this report to make sure they correspond to legitimate connections. Security report... 10

13 3 Applications Security report... 11

14 Our Next Generation Firewall allows discriminating traffic according to the application that originated it. This unique feature of a layer 7 firewall is key for the prevention of threats, applying specific solutions and detecting risk factors with much more efficiency. Applications by relevance The table below includes a complete list of all applications detected by our Next Generation Firewall. APPLICATIONS INBOUND SESSIONS OUTBOUND SESSIONS THREATS smtp incomplete mysql web-browsing insufficient-data unknown-tcp ssh pop ftp imap t ms-rdp Security report... 12

15 ssl webdav socks http-proxy irc-base unknown-udp ms-ds-smb-base rsync oracle tacacs-plus rmi-iiop mssql-db Security report... 13

16 Applications by amount of threats (TOP 5) These are the 5 applications that have received the most threats (either blocked or just logged). Detailed information on the nature of these threats, prevention measures and necessary techniques can be found in the "Threat Spotlight" section of this report. mysql A total of 55 threats have been blocked for this application. THREATS CATEGORY RISK ATTEMPTS MySQL Authentication Brute Force At brute-force HIGH 55 web-browsing A total of 14 threats have been blocked for this application. THREATS CATEGORY RISK ATTEMPTS Apache Struts Jakarta Multipart Par code-execution CRITICAL 3 Oracle WebLogic WLS Security Compon code-execution HIGH 9 ZmEu Scanner Detection(34605) info-leak LOW 2 smtp A total of 11 threats have been blocked for this application. THREATS CATEGORY RISK ATTEMPTS MAIL: User Login Brute Force Attemp brute-force HIGH 11 webdav Security report... 14

17 A total of 8 threats have been blocked for this application. THREATS CATEGORY RISK ATTEMPTS Microsoft IIS WebDAV ScStoragePathF overflow CRITICAL 8 Security report... 15

18 Key aspects One of the key features of our Next Generation Firewall is its ability to detect which application originates or receives certain types of traffic. This list allows detecting illicit activity and becoming aware of which applications pose a greater risk. It is indispensable to compare the applications in this list with those authorized and recognized by the company. Hosts included in this report have sent or received traffic using a total of 24 applications. The average of our clients is 2 applications. The most common application for the hosts included in this report is smtp (Inbound) and ntp(outbound). The five most common applications accumulate a total of 88 vulnerabilities. Among them, 11 are reviews. They should be taken into consideration immediately! The most vulnerable applications in your hosts are: mysql, web-browsing, smtp, webdav Please download the CSV file from your control panel to know in detail all threats that have occurred for each affected application and host. Security report... 16

19 4 Threats Security report... 17

20 Following up we present a summary and list of threats detected by our next generation firewall. First we'll present threats that have been blocked in real time according to the chosen sensitivity settings. Afterwards, we'll present threats that fall below the established severity threshold and have thus been logged but not blocked. 88 Total detected (-35%) 2 86 Logged Blocked (with MEDIUM, HIGH o CRITICAL profile) Security report... 18

21 Blocked threats Our NGFW has blocked a total of 86 threats with MEDIUM, HIGH o CRITICAL severity. This represents a variation of -34% in comparison to the last report. Most relevant threats (top 5) Threats displayed below have been blocked in real time. They have effectively been prevented from reaching their destination. THREATS CATEGORY ATTEMPTS CLASSIFICATION Microsoft IIS WebDAV ScStoragePathFrom overflow 8 CRITICAL Apache Struts Jakarta Multipart Parser code-execution 3 CRITICAL MySQL Authentication Brute Force Attem brute-force 55 HIGH MAIL: User Login Brute Force Attempt(4 brute-force 11 HIGH Oracle WebLogic WLS Security Component code-execution 9 HIGH More affected applications These applications currently pose a greater risk to your IT infrastructure by concentrating the largest amount of serious threats. mysql 63% web-browsing 13% smtp 12% webdav 9% Security report... 19

22 Threat source Knowing the origin of threats can be useful when setting up prevention mechanisms or filtering rules. China 66% United States 13% Italy 5% Korea Republic Of 5% Netherlands 3% Threat destination The threat target list lets you know which hosts are most heavily threatened and require more immediate attention to prevent potential risk factors. Servidor Cloud 100% Security report... 20

23 Key aspects Threats are blocked by our Next Generation Firewall in real time according to the severity settings chosen in the control panel. All blocked threats included in this report have been successfully intercepted and all of them have been prevented from reaching the destination host. These threats are an essential source of information to detect potential vulnerabilities and take preventive measures to protect hosts according to the risk level. Blocked severity profiles have been: MEDIUM, HIGH o CRITICAL (according to user configuration) Our NGFW has blocked an average of 88 threats per host. The average for our clients is 119 threats per host. The amount of blocked threats this week has had a variation of -34% in comparison to last week. The most affected applications are mysql, web-browsing, smtp, webdav. Please review the current security configuration for the listed applications. The most common types of threats have been overflow, code-execution, brute-force. The most common source for blocked threats have been China. Security report... 21

fall below the severity threshold specified in the current user configuration.

24 Logged Threats Our NGFW has logged, but not blocked, a total of 2 threats with LOW severity profile. Most relevant threats (top 5) Threats displayed have been logged by our Next Generation Firewall but haven't been blocked as they fall below the severity threshold specified in the current user configuration. THREATS CATEGORY ATTEMPTS CLASSIFICATION ZmEu Scanner Detection(34605) info-leak 2 LOW More affected applications These applications concentrate the largest amount of logged threats. web-browsing 100% Security report... 22

25 Threat source Knowing the origin of threats can be useful when establishing mechanisms of prevention or filtering rules to prevent other threats. Germany 50% United States 50% Threat destination The threat target list lets you know which hosts are targeted the most and need to be reviewed to prevent potential risks. Servidor Cloud 100% Security report... 23

26 Key aspects Threats logged by our Next Generation Firewall are a source of vital information to know the security state of your infrastructure and, thus, to be able to prepare preventive security measures that contribute to protect the hosts. These threats haven't been blocked because their severity level fell below the established threshold. Remember that the sensitivity of the real-time blocking module can be adjusted at any time from your control panel. Registered severity profiles have been: LOW (according to the current user configuration). Our NGFW has detected an average of 88 threat attempts per host. The average for our clients is 119 threat attempts per host. The amount of detected threats this week has increased a -35% in comparison to the last report. The most affected applications have been web-browsing. The most common threat types have been info-leak. The most common origin for detected threats has been Germany. Security report... 24

27 5 Authentication Security report... 25

28 This summary and the subsequent log list brute force access attempts to monitored hosts. This information might give you indications on where to strengthen or review your security measures. Most relevant brute force attempts (top 5) The table below summarizes the main attempts to intrude on hosts by brute force. It is noteworthy that some of these attacks are performed in an automated manner to any system connected to the internet. Generally they do not pose a meaningful risk as long as the operating system is being kept updated, configuration files have been reviewed and passwords are strong enough. PROTOCOL SERVICES IP ATTEMPTS MySQL Authentication Brute Force At Servidor Cloud MAIL: User Login Brute Force Attemp Servidor Cloud Security report... 26

29 Most relevant source IPs The following IPs accumulate a larger amount of intrusion attempts to the hosts included in this report % % % % % Threat destination The following list ranks hosts in your network affected by illegitimate authentication attempts. Servidor Cloud 100% Source IPs of established sessions These are the IP addresses from which login attempts to your hosts have taken place, displaying at least the login prompt (does not imply a succesful login). Are these known IP addresses? % % % % % % % % % % % Security report... 27

30 % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % % Security report... 28

31 % % % % % % % % % % % % % % % Security report... 29

32 Key aspects The authentication section lists the brute-force threats that can compromise your hosts. We recommend paying special attention to these threats and immediately implement preventive measures, such as automatic IP detection and blocking systems. We also recommend that you review the configuration of all affected applications and protocols. We remind you that all here listed threats have a CRITICAL severity profile and have been blocked in real time according to the current user configuration. An average of 66 authentication/intrusions attempts per host have been detected. The average for our clients is 74 attempts per host. We recommend blocking the IP addresses from which the aforementioned authentication and intrusion attempts originated. Security report... 30

33 6 Key data Security report... 31

34 According with the data presented in this report, we include a non-comprehensive list of the most important aspects that should be taken into account. Network global key aspects Your total traffic has grown by 50% over the last report. You should contact us immediately to enhance your systems and prevent failures. Your outgoing traffic has grown by 50% over the last report. This may indicate that an attack is being launched from your systems. We have detected that a huge amount of threats on your systems are focused on a single application. You should check that application for its security risks and consider updating or replacing it. The total amount of threats flowing through your network has increased in comparision of the global. According to this, you may think about increasing your security services or optimizing them. This list has been generated automatically and is not comprehensive. Please consider talking to one of our cibersecurity experts to obtain more key data and advice on how to protect yourself from detected threats. Security report... 32

35 7 Definitions and countermeasures Security report... 33

36 Following up we present information, advice and key data on the most relevant threats included in this report. The purpose of this information is to provide your IT team useful advice that can be implemented immediately, especially in the case of critical threats. Overflow vulnerability (+100%) A buffer overflow exploit has been detected on your traffic. These kind of exploits can allow an attacker to execute code on your machine in a remote way. Severity: CRITICAL This period: 8 (+100%) Most affected host: Servidor Cloud Affected applications: webdav Countermeasures There are certain considerations to take into account in order to protect our applications: The best solution for avoiding this vulnerability is to keep your systems updated as these kind of exploits tend to affect outdated versions of programs. Security report... 34

Brute force attack (-48%) A brute force attack consists of an attacker trying to break into a single machine or a group of machines by trying simultaneously a huge amount of passwords.

37 Brute force attack (-48%) A brute force attack consists of an attacker trying to break into a single machine or a group of machines by trying simultaneously a huge amount of passwords. These attacks are so common in internet nowadays. Severity: HIGH This period: 66 (-48%) Most affected host: Servidor Cloud Affected applications: mysql Countermeasures There are certain considerations to take into account in order to protect our applications: The best solution for these attacks is to enable good firewall policies as well as software access policies to avoid recurrent connections to the same service. Security report... 35

Code execution attack (+1100%) Code execution is one of the most dangerous security threats in every network. Code execution risks may be related with exploit attacks or malware spreading campaigns.

38 Code execution attack (+1100%) Code execution is one of the most dangerous security threats in every network. Code execution risks may be related with exploit attacks or malware spreading campaigns. Ransomware is one of the most code execution threats. Severity: HIGH This period: 12 (+1100%) Most affected host: Servidor Cloud Affected applications: web-browsing Countermeasures There are certain considerations to take into account in order to protect our applications: The best solution for mitigating this kind of threats is to enable a good layer7 firewall filtering policy for blocking this kind of threats. Other good recommendations include keeping the system update and install native security software such as anti virus or anti rootkit programs. Security report... 36

39 Information leak risk (-33%) Information leaking is a common problem in modern computer internal and external networks. Critical information prone to be leaked may include: bank account numbers, credit cards, personal mails, addresses or telephone numbers. Our systems have detected personal traffic flowing through your network. Severity: LOW This period: 2 (-33%) Most affected host: Servidor Cloud Affected applications: web-browsing Countermeasures There are certain considerations to take into account in order to protect our applications: The network administrator should make sure that no sensitive information is moved through the network without using encryption as well as make sure that it's users are following an internal security policy. Security report... 37

40 THREAT SPOTLIGHT The second part of this report includes detailed information about all threats detected by our Next Generation Firewall. Threats are displayed by host, sorted by severity and include up to date CVE data. Security report... 38

41 8 Threat Summary Security report... 39

42 Below you'll find a general overview of all threats detected on your network by our Next Generation Firewall. Both threats that have been effecitively blocked and threats that have only been logged are included to help you find a long term solution to possible vulnerabilities Critical High 0 2 Medium Low Security report... 40

43 9 Threats by Host Security report... 41

44 Host In the following pages you'll find information about the severity and the description of every threat detected for the host Critical 88 Threats 75 High 0 Medium 2 Low Security report... 42

45 Threat ID: (Critical) Host: Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow Vulnerability Microsoft Internet Information Services is prone to a buffer overflow vulnerability while parsing certain crafted WebDAV requests. The vulnerability is due to improper validation of one of the headers, leading to an exploitable buffer overflow. A remote attacker could exploit this vulnerability by sending a crafted request to the vulnerable application. Successful exploitation could result in denial of service conditions or, in the worst case, arbitrary code execution in the context of the user running the application. Category CVE CVE References Security report... 43

46 Threat ID: (Critical) Host: Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability Apache Struts is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on Content-Type in the HTTP request, leading to an exploitable remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to remote code execution with the privileges of the server. Category code-execution CVE CVE References Security report... 44

47 Threat ID: (High) Host: MAIL: User Login Brute Force Attempt This event indicates that someone is using a brute force attack to gain access to mail server through smtp/pop3/imap authentication request. Category brute-force Security report... 45

48 Threat ID: (High) Host: MySQL Authentication Brute Force Attempt This event indicates that someone is doing a brute force attack and try to authenticated to the MySQL server. Category brute-force Security report... 46

49 Threat ID: (High) Host: Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability Oracle WebLogic is prone to a remote code execution vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on payloads in HTTP requests, leading to an exploitable remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to remote code execution with the privileges of the server. Category CVE CVE References Security report... 47

50 Threat ID: (Low) Host: ZmEu Scanner Detection This signature indicates that an attacker is trying to collect information about the network by using the ZmEu scanner. Category info-leak Security report... 48

51 10 Talk to an expert Security report... 49

52 SW Girona SW Madrid Data Center Salas 1 y 2 Data Center Sala 3 SW Building Edif. GlobalSwitch c/ Ponent, c/ Yécora, Fornells de la Selva Madrid Girona (Spain) Madrid (Spain) info@swhosting.com madrid@swhosting.com tlf tlf fax fax Need help with the report? Remember that you can contact our IT security experts for personalized assistance in interpreting the report and getting the most out of it. Using SW Panel you can create Security Tickets and we will gladly help you to resolve any doubts or queries about the incidents and threats that have been detected in this report.

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications