Wiki/Operation/Incident_Reports.md

These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems.

**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.

{{Incident Report|Attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
|title=January 2018 Spambot Detection
|date=11-29-2017 through 1-4-2018
|who=IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
|type=Spambot
|vector=Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
|detect=Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder.
|assets=[[Core|AniNIX::Core]]
|impact=This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.

Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
|actions=* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts added to the ConfigPackages and other repos in [[Foundation|AniNIX::Foundation]]
|plan=[[Cerberus|AniNIX::Cerberus]] needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
|logs=[file:///home/cxford/Desktop/Incident Response - 1-4-2018|Contact an admin for access.]}}

[[Category:Operation]]
Imperfect initial commit, but too far to go back 2020-01-02 05:22:16 -06:00			`These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems.`

			`Note: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.`

			`{{Incident Report\|Attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.`
			`\|title=January 2018 Spambot Detection`
			`\|date=11-29-2017 through 1-4-2018`
			`\|who=IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)`
			`\|type=Spambot`
			`\|vector=Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).`
			`\|detect=Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder.`
			`\|assets=[[Core\|AniNIX::Core]]`
			`\|impact=This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.`

			`Current forensic investigation does not indicate a compromise to any AniNIX privileged information.`
			`\|actions=* Monitoring user password has been rotated on all systems.`
			`* Automatic password rotation for service accounts added to the ConfigPackages and other repos in [[Foundation\|AniNIX::Foundation]]`
			`\|plan=[[Cerberus\|AniNIX::Cerberus]] needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.`
			`\|logs=[file:///home/cxford/Desktop/Incident Response - 1-4-2018\|Contact an admin for access.]}}`

			`[[Category:Operation]]`