Hello, this is my first time posting on a forum ever, but the issue is serious enough for me to do so. Any help to unpack this issue is appreciated.
A bit of my background: Doing IT for 10+ years, not a security/network expert by any means, but competent enough to figure most things out with broad talent.
Overview:
- We have multiple sites that have seen the event below. Not every site has seen this Alert.
- The Destination is always the MX and this single event only.
- Threat is in reference to: "Back Orifice" a Remote Access Tool "RAT". The nature of the Port 80 is a hint that confirms this. I have read up on "Back Orifice" and have a knowledge for how it works to a degree in avoiding detection.
- All source IP's are China and those IP ranges are now blocked in addition to country block that was previously established.
- We have an Enterprise Endpoint Security system in place on all clients and servers. We cannot find anything in logs to indicate an issue (partly because we don't know what we are digging for).
- We have begun contact with Meraki and our enterprise security system
We have taken some security steps, but would like input on how to proceed. My main concern is a endpoint that has become compromised allowing the attacker to move latterly through the network. I don't feel our Servers are at an immediate risk at the moment as we have implemented new security practices since I have started that should make it *difficult* to gain control of. (Though nothing is impossible)
I appreciate you taking your time to read all of this!
I appreciate you taking your time to read all of this!