argunsah 0 Posted October 23, 2022 Posted October 23, 2022 Hello, Out IT shared this document with us saying that one of our computers tried to attach some other computer in the network. But the date is 25 October which is future. Is it possible that this detection was an error? Best, Ali from university of Zurich, brain research institute DOC-20221022-WA0000..pdf
Administrators Marcos 5,451 Posted October 23, 2022 Administrators Posted October 23, 2022 It's unlikely to be FP, the brute-force attack should be visible also in a pcap log created without ESET being installed.
argunsah 0 Posted October 23, 2022 Author Posted October 23, 2022 When we run the ESET, it does not detect any malware in the computer that reported to be causing the brute-force attack. Is this normal?
Administrators Marcos 5,451 Posted October 23, 2022 Administrators Posted October 23, 2022 It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password.
argunsah 0 Posted October 23, 2022 Author Posted October 23, 2022 (edited) So it may not be a malware? Even if we are sure that no human user did an attack? Edited October 23, 2022 by argunsah
itman 1,801 Posted October 23, 2022 Posted October 23, 2022 14 hours ago, argunsah said: But the date is 25 October which is future. Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues.
argunsah 0 Posted October 24, 2022 Author Posted October 24, 2022 19 hours ago, Marcos said: It's normal. The brute-force attack can be caused by the user himself by repeatedly trying to authorize with an invalid password. IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User.
argunsah 0 Posted October 24, 2022 Author Posted October 24, 2022 17 hours ago, itman said: Re-sync Windows time setting on the device showing this date. Wrong time settings in Windows can cause all kinds of issues. IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating.
Administrators Marcos 5,451 Posted October 24, 2022 Administrators Posted October 24, 2022 19 minutes ago, argunsah said: IT people did not comment on the date of their report being in the future yet. We cannot re-detect the malware if there ever was one and cannot have any further info yet. So frustrating. We might be able to get more info from system logs from the machine that was "brute-force attacked". Will send you more info via a personal message momentarily.
itman 1,801 Posted October 24, 2022 Posted October 24, 2022 (edited) 4 hours ago, argunsah said: IT said there was no user involved. They wrote: This is an System attack on the RDP port, there is no need for a logged-in User. My best guess as to the source of the SMB attack is shown in the below MalwareBytes article excerpt. Namely, there is an infected device on the corp. network that is initiating the SMB attack. I would start with a through inspection of the device showing an invalid date. Quote Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session. One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets. https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread SMB processing uses the SMB protocol. Assumed is this is what Eset is keying off of to determine this was a SMB attack. The SMB protocol uses ports 139 and 445. What is possible is there was a successful external network RDP attack. This set the stage for a subsequent malware infection that performed the SMB attack. Edited October 24, 2022 by itman
Recommended Posts