While conducting a regular Firewall Log Review, expert security analyst and Resident Malware Finder™ Mike discovered several suspicious, over-sized files. These were zip files that appeared to be game files downloaded from an IP address located in Bangladesh. Suspicious!
He investigated the traffic further and discovered that the source was classified as a religious website. This seemed to be an unusual classification, and further investigation found that while the site looked like your average religious website containing religious images and text, it was not.
Digging a little deeper, he found that various hacker exploits and game files were available for download. He immediately notified the customer of the possible threat. With the use of traffic logs, Mike was able to identify who was responsible (someone with admin rights) for downloading the files to VirtualBox with the intent to place the files on their personal device.
The use of VirtualBox was additionally suspicious as this was probably used as a means of evading other security infrastructures.
Mike contacted threat research resources to have the site reclassified in a more appropriate category - one that would be blocked going forward, according to Web Filter policies.
What Could Have Happened
If Mike had not identified this suspicious behavior during a manual firewall log review, the user could have had continued to access the site. They could have potentially downloaded a malicious file or hacker exploit, and their admin rights could have been used by the attacker or malware to cause some serious damage system-wide.
- Keep the number of local admins to a minimum.
- Consider restricting the use of applications like VirtualBox that can be used to cloak a user’s activity and dodge security mechanisms.
- Incorporate a SIEM solution that continuously monitors logs from the firewall in real-time means. This means any potential threats can be identified sooner.