The Christmas Cyber Siege

The Christmas Cyber Siege

RevelSI’s latest analysis, conducted as part of our SOC MDR team's improvements under the EU project SOCCare, reveals a significant uptick in brute-force attempts targeting the finance industry.
The SOCcare project is co-funded by the European Union, alongside our collaborators, University POLITEHNICA of Bucharest and NRD Cyber Security, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843.

Incident Overview

On Christmas Day, December 25, 2024, a significant brute-force1 attack was observed, targeting a client system and affecting over hundreds of user accounts. This incident underscored the persistent threats posed by cybercriminals and emphasized the necessity of robust security measures, including dedicated 24/7 monitoring.

What Happened?

The attack commenced with multiple failed login attempts within a short time frame, generating an alert from the Security Operations Center (SOC) at night. The attackers utilized routed IP addresses originating from various locations, including Russia, the Netherlands, Finland, Germany, and France. By employing geographically dispersed IPs, traditional detection mechanisms were challenged.
A notable number of these IP addresses were associated with a prominent internet service provider known for offering anonymous routing and server infrastructure. Although such services are legitimate, they are often exploited by malicious actors to obscure activities during cyberattacks.
Fortunately, the attack was unsuccessful due to brute-force countermeasures in place. For instance, most systems will lock a user out after a certain number of incorrect login attempts.

How Was It Addressed?

The security team immediately initiated countermeasures, categorizing and blocking the identified malicious IP addresses at the firewall level. Due to the scale and complexity of the attack, entire IP ranges were blocked to mitigate the intrusion effectively. Rapid and strategic actions successfully contained the attack within a few hours.

Strategies for Strengthening Defences

To reduce the risk of brute-force attacks, the following measures are recommended:
- Comprehensive Traffic Monitoring Tools: Implement robust traffic monitoring solutions to improve real-time network visibility and detect unusual login attempts. Integrate automated alerts and trend analytics to identify patterns of potential brute-force activity.
- Strengthened Authentication Measures: Deploy adaptive authentication systems that require additional verification steps when anomalous login patterns are detected. Enforce geofencing policies to flag or block login attempts from unexpected regions.
- Improved Lockout Policies: Configure dynamic account lockout durations that increase after successive failed login attempts, reducing the viability of brute-force attacks.
- Enhanced Password Policies: Mandate strong, unique passwords for all accounts. Avoid easily guessed combinations and enforce regular credential updates.
These measures collectively offer robust protection against brute-force attacks by addressing vulnerabilities, enhancing detection capabilities, and automating responses to reduce risk and impact.

Conclusion

To prevent brute-force attacks and enhance overall security, it is essential to:
- Use strong and unique passwords: Passwords should not be based on common dictionary words or personal information. They must be at least eight characters long and include a mix of upper and lowercase letters, numbers, and special characters.
- Avoid common or weak passwords: Policies should be enforced to reject easily guessed passwords and mandate users to periodically update their credentials.

These best practices, combined with proactive defence measures, play a critical role in mitigating brute-force attacks and ensuring robust cybersecurity.

IOC List