In this exercise we’re notified of multiple suspicious FTP connection attempts, so let’s dive into the logs and try to figure out what’s what.
Detection
Data Collection
First things first we need to know the who and what, so looking at the SIEM report we can gather the following details:
- Source Address - 42.192.84.19
- Destination Address - 172.16.20.4
- Destination Hostname - gitServer
- User Agent - Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
This tells us that we’re dealing with external actor, targeting a local server which is running the FTP server. Checking the AbuseIPDB we can see that the IP originates from China, and is owned by the Tencent Cloud Computing (Beijing) Co. Ltd. data center provider. If possible, we could use this information for geoblocking, but at the very least we should consider blocking this very IP address if a blanket ban is not an option.
Analysis
Search Logs
Sorting logs by the source IP address and the FTP port (21) we’re able to find few hits, and looking deeper into them we’ll notice that someone is indeed trying to access our server with administrator credentials. That said this seems like a rather weak attempt at bruteforcing the access, more like someone just trying their luck few times and giving up. Regardless, it goes to show how important good password practices are, and utilizing more stringent geoblocking and/or banning IP addresses based on failed login attempts could help us keep out environment safes and logs cleaner.
Analyze URL Address
This part in the exercise got me confused, as there isn’t really any URL address in the whole equation. The SIEM report does indicate the requested URL to be http://172.16.20.4/ftp/webUI.php, but not only is that the only mention of the page at all, it’s hard to see how this could be a malicious site given that it’s run by our own company and no web shells or the like are in play.
That said LetsDefend does in fact consider this a malicious URL, and while I cannot see the reasoning behind it, that is the actual answer.
Add Artifacts
- Source Address - 42.192.84.19
- Requested URL - http://172.16.20.4/ftp/webUI.php
Analyst Note
Possible FTP recon / bruteforce attempt originating from China (42.192.84.19 / Tencent Cloud Computing (Beijing) Co. Ltd.). All attempts rejected, no indication of further attacks. Closing as True Positive without further action necessary to be taken.