Shining a Light on What Goes Bump in the Night

A Threat Landscape Overview from the Blackpoint Response Operations Center Night Shift

During the night shift, the Blackpoint SOC gets a very unique view of the current threat landscape and attacker methodologies. Off-peak hours give adversaries a higher chance of operating under the radar, and alerts that look mundane during the day can be high-risk at 03:00. In this post, the Blackpoint SOC showcases common incident patterns, the importance of contextual analysis, and share key recommendations on how SOCs and defenders in general can better protect their networks.

A frequent breach the Blackpoint SOC encounters during night shift are SSL VPN compromises. During these incidents, attackers abuse stolen VPN credentials or appliance vulnerabilities to gain initial access into a network. Once inside, they are frequently seen performing enumeration actions, moving laterally across the network, exfiltrating data, or deploying ransomware. The Blackpoint SOC has seen this pattern repeatedly across multiple organizations and industries, highlighting how widespread SSL VPN exploitation has become an initial access vector.

In this blog we will explore two prime examples of the type of activity our night-shift analysts face during the off-hours.

Key Takeaways

• Late-night hours are attractive to adversaries, and night-shift analysts are often first to detect stealthy initial-access activity.
• SSL VPN compromise remains a frequent initial-access vector, driven by stolen credentials and appliance vulnerabilities.
• Publicly exposed services and devices are high-value targets and can enable rapid domain-level compromise when exploited.

Figure 1: Attacker seen performing enumeration commands and creating a new user for persistence.

VPN Compromises

VPN compromises are common during late-night hours because there is a lower chance of detection due to organizations not having 24/7 cybersecurity personnel monitoring their networks. Attackers understand these off-peak windows provide the perfect opportunity to blend in with legitimate remote access activity and operate with minimal resistance. SSL VPN compromises are not always easily identifiable as they may mimic normal user activity. This is where the expertise and knowledge of Blackpoint’s analysts come into play, leveraging experience, behavioral patterns, and contextual clues to differentiate legitimate access from malicious activity.

An investigation into these VPN compromises starts with the remote execution of services.exe or share mount activity. The triage of these alerts starts with identifying where the activity is sourcing from, to include the hostname, user account, and IP address performing the actions. Triage begins by answering who performed the activity (user account), what occurred (processes and commands executed), where it originated (hostname and source IP), when it happened (event timestamps), and why it occurred (the suspected intent behind the activity). A key indicator that there could be a VPN compromise is when the hostname of the source device is not present. This means that whatever device this activity is sourcing from does not have a Blackpoint SNAP agent installed.

After validating the source of this traffic, the SOC then investigates the user account, which can provide further contextual information.  During the past few months, the Blackpoint SOC has investigated a large number of SonicWall VPN compromises, in which threat actors commonly abuse compromised service accounts to access the network. The SOC has seen compromised service accounts including svc_ldap, sonicldap, and ldap_svc leveraged in these breaches. Whenever these accounts are performing remote execution actions, it is a clear indication that an SSL VPN compromise has occurred. Additionally, checking the user’s historical activity can provide some context about whether this is normal behavior from the user.

Lastly, the source IP can provide another clue for us. When the subnets for the source IP and destination IP do not match, this normally occurs because VPNs have their own IP range and are separate from the internal network IP range. For example, the source IP might be in 172.16.x.x IP range, while the destination IP will be in the 10.0.x.x IP range. Identifying this mismatch of subnets is a strong indicator that the activity originated via remote access rather than from on-prem infrastructure. We rarely have access to the customer’s assigned VPN IP range to confirm, but it is just another identifier we are likely dealing with a compromised SSL VPN. Customers assigned VPN IP ranges are rarely accessible, but we can use available telemetry such as chipset or MAC OUI data in logs to infer that a device is a VPN endpoint.

Figure 2: Previously unknown device confirmed to be a SonicWall VPN based on chipset.

Figure 3: Illustrated here is an example of a remote execution alert for services.exe by the svcbackup account. Here you can see all 3 indicators of an SSL VPN compromise. A service account being abused to perform remote execution (svcbackup), the Attack Source showing as an unknown device (No SNAP agent installed), and the IP addresses in separate subnets (192.168.253.0/24 and 192.168.101.0/24).

At this point in our investigation, the Blackpoint SOC   may use open-source intelligence (OSINT) to validate that the customer has an exposed VPN panel on the Wide Area Network (WAN). The Blackpoint SOC has the visibility to see the public server address used for the network connection in our logs. We input this IP address into a network discovery search engine such as Shodan or Censys and it will show any open ports on the device, and we can identify that a publicly exposed VPN portal exists. The public IP is input into a network discovery search engine, and the results are used to identify open ports and confirm whether a publicly exposed VPN portal exists. We analyze all the previously mentioned information and make the determination of whether to begin isolating devices to prevent any further lateral movement or malicious activity on the network.

All the previously mentioned information is analyzed, and the Blackpoint SOC quickly begins to contain the threat by isolating hosts on the network. We commonly isolate entire subnets as opposed to the individually targeted devices because when a threat actor gains access to a network, they can leverage any device on the network for lateral movement or privilege escalation, so decreasing their range of access limits the damage that can be done.

Figure 4: A quick open-source search can reveal publicly exposed SSL VPN login portals.

Compromised Public Web Services

Another common incident frequently seen during the night shift is compromised public web services. One investigation we would like to highlight is the compromise of the Remote Desktop Web Access (RDWebAccess) component of a web server. RDWebAccess is the web-based interface for Microsoft Remote Desktop Services that allows users to remotely access internal desktops and published applications through a browser. When exposed to the internet, it often becomes a high-value target for threat actors seeking to gain initial access into enterprise environments by exploiting misconfigurations, unpatched vulnerabilities, or stolen credentials.

For this particular incident, the Blackpoint SOC was alerted to domain trust enumeration activity. Open-Source Intelligence on the responsible user found that they were a catering manager. This activity was highly anomalous for their role and not consistent with legitimate job duties.

Figure 5: Above are a few of the commands seen being executed.

Investigation showed a threat actor authenticated to the RDWebAccess portal with previously compromised user credentials and immediately performed enumeration using living-off-the-land binaries (LOLBins). This activity is consistent with reconnaissance intended to identify privileged accounts and domain controllers and to harvest cached or reusable credentials. Additionally, a new user named “adm” was created and added to the Domain Admins group. This represents both persistence and privilege escalation, granting the attacker full Domain Admin privileges and the ability to create backdoors, disable security controls, and rapidly deploy malware or ransomware across hosts via Group Policy, scheduled tasks, or remote-execution tools.

Observed activity included:

• nltest.exe /dclist: enumerate domain controllers and domain trusts
• net.exe user /domain: list domain user accounts
• net.exe user compromisedUser /domain: query user details for the compromised user’s domain account
• net.exe group “Domain Admins” /domain: enumerate members of the Domain Admins group
• net.exe accounts /domain: view domain password and account policy settings
• whoami.exe: confirm the current user and account context
• cmdkey.exe /list: display locally cached credentials

This incident highlights the critical role of night shift investigations and rapid contextual analysis in identifying externally driven intrusions early. Night-shift analysts validated the RDWebAccess enumeration alert, enriched the event with OSINT to confirm the role mismatch and reconstructed a minute-by-minute timeline using EDR and SIEM telemetry. The Blackpoint SOC quickly isolated the subnet to prevent further malicious activity and lateral movement, while also notifying the customer and providing a detailed report with the necessary remediations.

The Night Shift’s experience, contextual analysis, and disciplined playbooks allow the Blackpoint SOC to rapidly triage alerts, contain threat actors, and interrupt their progression through the kill chain. The prioritized recommendations below convert our night-shift lessons into actionable steps you can use to strengthen defense in depth across identity, network, host, and application layers.

Recommendations

• Require multi-factor authentication for all users and administrative accounts, and for any remote or external access to corporate resources.
• Restrict public-facing services to authorized users and approved IP ranges.
• Apply the Principle of Least Privilege to Active Directory groups and accounts.
• Segment the network and enforce segregation between DMZ, user, and privileged zones.
• Ensure all servers are fully patched/hardened and up to date.
• Enable Botnet Filtering and ensure proper Account Lockout policies are in place.
• Require input validation and sanitization for all web-facing servers and applications.