Brute Force Attack on Firewall Stopped

The Network: A nonprofit organization in healthcare research using Netsurion Managed XDR to supplement their IT team.

The Expectation: Robust and up-to-date (next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Perimeter firewalls are critical in any given environment and should have 100% uptime (availability).

The Catch: Netsurion’s SOC analysts observed over 1,500 attempts from various IP addresses attempting to connect to the outside interface on the firewall, via ssh v1, in a short span of time. The firewall was accepting ssh v1 connections on the outside interface, which could potentially allow hackers to perform a brute-force attack to gain access to the firewall. In addition, ssh v1 does not support strong encryption and also has an integer overflow vulnerability that allows hackers to run code with root access. ssh v2 protects against eavesdropping by encrypting all traffic through 3DES/AES and uses MAC algorithms for integrity checking.

The Find: Netsurion’s firewall logon reports had been configured during installation and were instrumental in uncovering this attack.

The Fix: ssh v1 had been enabled on the outside interface of the firewall and was open in the customer environment for a period of time. This is a weak configuration that invites attack. Attackers scanning this firewall had determined this misconfiguration and were working to exploit it. Netsurion’s SOC analyst immediately notified the customer who quickly disabled ssh v1 and access to the outside interface of the firewall.

The Lesson: Firewall connections should be allowed only from the inside network. Connections should be accepted only via ssh v2, and not ssh v1 since it is not secure. Robust 24×7 cybersecurity expertise can help rapidly detect and identify cybersecurity threats.