Vigilante IT / White Knights?


We got called into a client last week for an interesting issue. Someone had updated and patched their servers, and a day later all the workstations including the 3rd party software on those workstations. Nothing was broken per se however people were confused because some of that patching and updating resulted in lost configurations as well as some skin changes. Nothing significant but those “cosmetic” changes are what got them asking, “Did you update this system”, “No I didn’t, I thought you did…”
The client tried to figure out what they could on their own, and reluctantly called us. They weren’t mad, but confused and a little troubled that someone may have a method to get into their network with out being noticed. Granted most networks are not looking for good, they are looking for bad. On the surface, an admin account logged into each server in question and ran a PowerShell script that would result in obtaining the latest Microsoft updates and applying them. The script was practically verbaitum of this Microsoft Blog Script: How Can I Search For, Download, and Install an Update?
All of that is very interesting in of itself, but to the clients main point: Is there someone with an easy way or backdoor’d entrance to their network. While we’ve ruled out typical malicious backdoor’s, they used a variety of Remote Desktop software, and one particular Remote Desktop in particular the past week has had a lot of attention. The mitigation’s for that software were also implemented, but we do think that was the initial method the “vigilante admin” as we dubbed them, probably gained access. Shodan showed they were vulnerable to the attack, and we were able to find a popular VPN IP connecting to the host that was first patched and where the other patching activity appeared to stem from.
We have stepped up the monitoring for this client, and are altering how we will monitor our other clients for something similar. In this case, no harm no foul as far as lost revenue or disruption of services. However, even if the white knight was well intentioned, they could have broken or hurt more than they were helping. If anything further develops or IOC’s are found, we’ll share them here.