▶️ Next Document
Attackers where used brute forcing attack to try and login into these accounts. There was more than 10,000 attacks done with in seconds which would refer to script that is ran to brute force access but failed. Main targeted account was the (ADMINISTRATOR, admin, administrator) accounts. The attacker focused their attack on three main computer (SOC-FW-RDP, SHIR-Hive, SHIR-SAP)
Logs showing two locations ( North Korean, Israel ). IP Address 175.45.176.99 shown to have used North Korean and Israel to connect to Microsoft Azure accounts. There are two users accounts (JohnS, Adele Vance) that are used to access Microsoft applications. User (JohnS) is disable because location is coming from North Korea, while user (Adele Vance) is still accessible from Israel. ( see fig.1)
Attackers is using brute force attack on the three main computers (SOC-FW-RDP, SHIR-Hive, SHIR-SAP) to gain access to administrator accounts but attack failed to gain access. ( see Fig. 2 & 3)
The attack happen on 4/16/2021 from 8:34 am - 9:33 am UTC and no future logs to detect if attack is still happening.
Three main computer (SOC-FW-RDP, SHIR-Hive, SHIR-SAP)
From the logs the attacker was targeting the database (Hive, SAP). The intent for the attacker should be getting as much data as possible.
Attacks tried to brute force access to the three main computers.