A modest proposal
Maybe, and just hear me out, but maybe it would be a good idea to geoblock access to your admin panels to any nation that your admins aren't actually living in or likely to travel to?
SolarWinds has issued an emergency patch after a critical security hole in its Serv-U Managed File Transfer and Serv-U Secure FTP was spotted being exploited in the wild. The vulnerability, discovered by Microsoft's Threat Intelligence Center (MSTIC) and Offensive Security Research teams, can be exploited by an attacker to …
It's not that simple.
In the first (original?) SolarWinds data exfiltration service, the crims were using Azure compute nodes out of the US (or at least Azure IP addresses based in a US region), presumably to get past any obvious GeoIP filtering and keep suspicion down for as long as possible from a suspicious analyst.
These days its mandatory to not just GeoIP filter, but block all of the IP space that GCP, AWS and Azure use these days. Of course, whitelisting trusted sources might be simpler.
PS: In this case, at least the ".1" of each of the /24's provided, one was based in the US and two were from Canada (at least based on inference of their rDNS record), so probably not places that'd be likely excluded from a Geo-Fence... at least in the SSH setups that I have.
I also block based on the client connection string, like "SSH-2.0-libssh" and "SSH-2.0-Go". If only the idiots would be smart enough to use OpenSSH or PuTTY, or WinSCP in their string, they could easily slip past that filter.
With few exceptions, I have found that inbound blocking those IPs from our datacenter networks hasn't had much impact, which makes a lot of sense (at least to me).
Most of the "cloud" is spoken to first, then it responds. So uninitiated traffic from cloud provider networks to our datacenter networks isn't generally expected, except where other vendors/partners/customers/whathaveyou are also hosted by one of those providers.
And the reason why I block cloud providers is that I've hosted more than a few honeypots over time and there is just so much dirty looking traffic coming from presumably compromised machines running in the AWS, Azure and GCP space.
Biting the hand that feeds IT © 1998–2022