#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange
Is your VPS used for brute force attacks?
or I could also have called this post “Do you know whom your VPS is hacking today?”
A trend that has surfaced over the years is to simply hire computer power into the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance for servers and have someone else take care of it. Also known as Infrastructure Service or IaaS
The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.
What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows server (or Linux for that matter) .
There aren’t that many Cloud services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.
The reason for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted against RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actual impossible to know.
In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been successfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.
Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hiring the VPS does this on purpose or they have no idea that the VPS has been compromised and is used for this hacking activity. All I know is that it has been conducting a lot of dictionary attacks lately.
What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.
You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you has no control over them.
Most Cloud Service Providers could implement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from /free-download/download-plus-getting-started-with-syspeace/
Your “neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute force prevention software for Windows servers.