4221
In order to protect Atmosera and our clients, our InfoSec department monitors a number of sources for security news, trends, changing technologies, and updated threats to our environments.
Recently, our security team read an article about a new threat called “GoldBrute” which targets Remote Desktop Protocol (RDP) servers, a type of server leveraged by many of our clients. GoldBrute is a botnet that conducts “credential stuffing” or brute force attacks on Windows machines with exposed RDP connections. As is the case with many threats, Indicators of Compromise (IOCs) can be used to identify if you have become compromised by GoldBrute:
- An IP address of a .ZIP download
- A single IP address of the Command & Control server
- A hash of a bitcoin.dll file
Utilizing Atmosera’s new next-gen SIEM (Rapid7 InsightIDR), we added a Threat watch for the IOCs across all systems that we analyze; this includes any of our Compliance Services clients as well as many of our other clients who utilize our Managed SIEM, part of Atmosera’s Advanced Threat Detection service.
What is SIEM?
A SIEM system functions as the centralized brain of Security Operations. A typical computing environment can generate millions of security events a day, so Atmosera’s SIEM uses machine learning to process, analyze and correlate those events to look for patterns of behavior that indicate threats and potential compromise.
Going forward, our Network Operations Center (NOC) will now receive near real-time alerts of any systems indicating signs of compromise for the GoldBrute threat. Atmosera’s security experts were also able to do a historical analysis and leverage SIEM data in a forensic capacity to see if any servers have shown signs of compromise during the past 30 days.
This is just one example of how Atmosera is always quietly working behind the scenes to protect our clients.
Concerned your system may be compromised? Contact us today to begin your environment scan.