Civic Infrastructure Manufacturer
Company and Website Protected by Confidentiality
The client engaged BlueBolt to assist with issues around odd web server behavior including spiking traffic patterns for a short time that would disappear quickly.
What Happened / The Solution
BlueBolt performed analysis of log files and network traffic to evaluate where the traffic spike was coming from and what could be done about the threat. BlueBolt discovered that upgrades to the web server and content management system had been done improperly leaving vulnerabilities to the outside. Because of this exposure, the server was being used as a relay, specifically that the SMTP server was being used to relay spam messages. The attackers had shell/command line access allowing them to serve up pirated software, mostly Adobe products.
How we did it / Next Steps
BlueBolt's first course of action was to address the immediate issue by removing shell/command line access and properly upgrade the web server and content management system to the most recent version available. In addition, BlueBolt staff manually went through the files on the servers that might have provided the ability to for the exposure such as executable files, similar files in word docs, etc. Longer term actions taken by BlueBolt included locking down the smtp server to only local traffic, putting monitoring in place on traffic and network activity for several weeks in order to make sure the issue was resolved, removing hazardous files and components, and commissioning a new web server and moving the production environment to the new server and decommissioning the old server in the process.
The Technology / Security Areas
Application Security Assessment