On a dark, quiet Saturday night, I sit down to review some data on a financial institution in ExtraHop Reveal(x). Suddenly, I spot something lurking in the distance—a solitary HTTP credential sent in the clear to a roundtable IP.
Perplexed, I peer deeper, nervous about what I might find. Inching toward it, I discover something that sends chills down my spine: The connection is coming from inside the financial institution, and it's reaching out to a website that has zero encryption.
In a flash, I conjure up the website.
"Eeeeeeeeek!" I shriek in horror as I feel the blood drain from my face. I fight through the dizziness as I attempt to rationalize what I'm seeing. I want it to be a dream, a mere symptom of fatigue and an overactive imagination, but there it is, clear as day: The financial institution's logo with a login and password prompt, shown in simple, clear text.
Frantically, I start firing off texts. I need to get to someone on the inside, fast. Do they know what this is? My head spins, instantly running through every possible scenario: Is this an insecure partner connection that is exposing the organization to a backdoor attack? Is it a phishing website using the company logo? The latter thought ties my stomach into a knot as I reach my contact.
We get on a call with the organization's CSO leadership. I'm cautious, but hopeful as I relay the scare I've just had. We dive through the evidence, sifting through the packet data associated with the transactions. Ouch! We feel the intense sting of raw, exposed data as we see that the logins and passwords were sent in clear text, open to anyone on the internet.
"Is this a program you guys run?" The CSO has the CFO on the phone and neither of them are wasting a second. The question hangs in the air as the culprit of the clear-text credentials becomes crystal clear: It was someone from the upper ranks. A user account with access to sensitive resources was making suspicious requests!
We isolate the device. It's quarantined, and the organization safe for now. We use a firewall on the insecure site, stopping any damage from seeping into the network until we have time to dig deeper. I finish the investigation with a quick scour of the records in Reveal(x), and find that multiple client connections were made to the site. The firewall should hold it for now.
The coming days are still filled with questions, with a list of potential monsters that could have caused our distress. A partner with extremely poor security practices, or widely feared malware with a credential harvesting campaign—these are the things that go bump in the network.
Weary from the trials of the day, we rest for the night, knowing that we'd done our job keeping the attackers at bay.
First published by Josh Snow, Saturday Night Fright on www.extrahop.com