Overview
One of Fortinet customers, a tele-communication (telco) company in the Spain, has a large fleet of EC2 instances across multiple regions in Europe to meet customers’ demands and GDPR regulation. The telco company deploys application in to auto-scaling EC2 spot instances to save on cloud cost which makes it challenging to deploy persistent workload protection tool.
They also use FortiGate-VM on AWS to deliver advanced threat protection and secure connectivity for EC2 instances, including antivirus capabilities through FortiGuard. It provides features like application control, malware protection, web filtering, and IPS. FortiGate-VM forwarded events to AWS Security Hub via FortiGate API integration.
The telco company’s FortiGate-VM detected a wave of attack by un-authorized users using Rhysida ransomware. FortiGate-VM was able to block all of the traffic with Rhysida ransomware.
Incident Summary
- Attack Vector: Ransomware attack
- Impact: Non-critical peer-to-peer applications not protected by
- Initial Entry Point: Application accessed via public IP
- Detection: FortiGate and AWS Security Hub detection alerts
Key Findings
AWS Security Hub triggers security events to FortiGuard IR team and customer via AWS Security Incident Response. FortiGuard IR team started the investigation and found the peer-to-peer workloads which are used between partners are impacted. The workloads were not protected by FortiGate-VM.
The threat actors abuse legitimate software such as PowerShell to gain information about users and systems within the network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for remote connections, and WinSCP for file transfers. The threat actors also attempt to exfiltrate data from various systems using MegaSync.
Response and Remediation
The Fortinet IR team coordinated a multi-phased incident response:
Given our understanding of the main threat actor’s operations, we determined that persistence was still possible. The IR team provided recommendations on removing existing adversary accesses and persistence. A high-level view of the containment and eradication actions recommended are provided below:
- Blocking the IP addresses used by threat actors
- Removing TeamCity software accounts created by threat actors
- Removing Windows accounts created by threat actors
- Removing backdoors created by threat actors
- Removing malicious files dropped by threat actors
After implementing these containment and remediation actions by the victim security team, no further malicious activity has been observed.
Fortinet Protections:
Fortinet advised the customers to implement multi-layer approach to protect their AWS environment. The customer was able to gain visibility in the detection, analysis, containment, eradication, and recovery process. AWS SIR helped the customer and FortiGuard IR team collaborate and eliminate blind spots during the triage process.
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
The Fortinet Difference
Fortinet’s rapid response, powered by its integrated cloud security solutions and FortiGuard Threat Intelligence, played a decisive role in helping the customer contain and recover from the SSRF attack. The unique combination of real-time threat detection, deep cloud-native visibility, and automated response allowed the customer to:
- Contain the breach quickly and prevent further credential misuse
- Leverage FortiCNAPP and FortiGuard Threat Intelligence to identify and block malicious activity in AWS
- Assurance of AWS environment best-practices configuration
Improve cloud governance and threat detection through continuous monitoring with FortiCNAPP platform.
- Develop robust playbooks and response strategies, reducing the time to detect and respond to future threats
