threat hunting
Description
this is the a students finding please add on what you think
I want to make it clear that this is for union gap. I don’t know why but Union gap does not appear in Mantis, so I chose Ellensburg because it was a nearby city. Source IP 91.92.243.156 is using high port numbers such as 40,330 or 33,570 to connect to 10.40.1.15 on port 443. This has happened multiple times today with 14 hits in total. It started at 7:37 PM PST time Saturday. The most recent event was at 10:37 PM. There have been about an hour between some hits and this event may still be currently ongoing as I write this. Additionally, three other hits have happened earlier this week on Feb 22nd. I found these events very strange because it first started off as “Spamhaus DROP Listed Traffic Inbound group 7” alerts, so I expected the traffic to stay the same. Then later today the traffic turned into “ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect – Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709) – Attempted Administrator Privilege Gain” alerts. I dug deeper to find more details and found that the source IP is from Sistov, Bulgaria. A lot of websites don’t seem to have any abuse/reputation history on them, but Talos intelligence has listed them as poor/untrusted.
Furthermore, there is a related IP 162.218.182.201 which seems to be the http hostname that is being connected to. IP address 162.218.182.201 is associated with Union gap school district. I think this qualifies as major severity because I have researched CVE-2024-1709 and many articles have been written about the exploits just in the past few days. Also, the National Institute of Standards and Technology have classified this as a 10.0 severity which is the highest possible score.