The logging events observed by Arctic Wolf used spoofed source IP addresses such as the local loopback address 127.0.0.1 or the IP addresses of public DNS resolvers operated by Google and Cloudflare: 1.1.1.1, 2.2.2.2, 8.8.8.8, and 8.8. 4.4. Sometimes attackers forget to spoof their source addresses, revealing addresses associated with a virtual private server (VPS) provider.
After this first phase of scanning, which involved very short login and logout events that seemed random and targeted organizations from various sectors, the attackers came back and started making configuration changes, first by changing the setting that controls how the output is displayed on multiple pages jsconsole and then adding new accounts for -superadmin following five or six character patterns.
These new accounts are then used to create up to six local users per device using the same naming scheme and add those users to existing user groups with SSL VPN access. In some cases, they hijack existing accounts or reset guest account passwords and add them to SSL VPN groups.
Source link