Incident
A large retail company received a real-time alert about an unauthorized access attempt to the Admin account of the firewall management system. The access attempt occurred at an unusual hour from an unfamiliar IP address. Additionally, a subsequent alert indicated a policy change that included the creation and deletion of two VPN users on the firewall.
Findings
- The attacker managed to access the firewall management system via a WAN connection.
- The Admin password was generic and had not been changed for years.
- The attacker had knowledge of the organizational network infrastructure.
Actions Taken
- We alerted the company about the breach and guided their investigation and response team throughout the entire incident.
- Immediate blocking of firewall management via WAN connection was implemented.
- Continuous monitoring of admin login attempts from foreign IP addresses and ICOs was conducted.
Outcome
Although the attacker gained access to the organizational firewall management system intending to breach the network systems, the swift actions taken blocked their access, preventing the attack from succeeding. Additionally, new measures were implemented to prevent similar incidents in the future.
How the Client Summarized the Incident…
“A potentially highly damaging attack was averted at the last moment thanks to quality control and real-time rapid response. The guidance and support from Experis were extremely professional, working shoulder to shoulder with our in-house team to prevent a significant attack.”