Skip to main content

Bad External Server IP Address Connection From Vulnerable Application

This alert occurs when Lacework detects an external server with a potentially malicious IP address establishes a connection to a vulnerable application.

This alert can indicate an attempt by an attacker to exploit a vulnerability in the application or to exfiltrate sensitive data from the organization's network.

Why this alert is important

The alert can indicate that an attacker is attempting to exploit a vulnerability in the application or network, steal data or install malware. If the attacker successfully establishes a connection, they may be able to exfiltrate sensitive data from the organization's network. Detecting the incident can help prevent data breaches and protect confidential information.

Investigation

Follow these steps to investigate the alert:

  1. Identify the IP address of the external server that attempted to connect to the vulnerable application. This information should be available in the alert or log message associated with the alert.
  2. Check if the external server's IP address is known to be malicious or has a history of attacks. This can be done by checking threat intelligence feeds or by performing a search on the IP address.
  3. Check if the vulnerable application runs the latest version and all security patches are current. If not, take steps to update the application to the latest version.
  4. Check the logs of the vulnerable application to see if any attempted exploits or attacks were associated with the connection from the external server.

Resolution

Follow these steps to resolve the alert:

  1. If the connection was successful, immediately disconnect the external server and contain the attack's impact.
  2. If the connection was legitimate, you can add the external server's IP address to an allowlist. If the connection was malicious, you might need to block the IP address or take other remedial measures.
  3. It is also important to investigate why the vulnerable application was connected to a potentially malicious server in the first place. This may involve reviewing the application's network settings or configurations.
  4. Implement security controls such as firewalls and intrusion detection systems or applying software patches to vulnerable applications.