CasesC-1305

Unsecured Database Port Exposed - C-1305

Detected on May 12, 2025 at 02:14 AM · Updated 18m ago
Status
Open
Due in 6h 30m
Severity
Medium
Score: 5.4
Assignee
RI
Rajesh Iyer
Cloud Security
Owner
AB
Alex B.
SecOps Team
Priority
P2
Medium Priority

Case Overview

Database listener port (3306) exposed directly to the public internet on host LIN-DB-01.

Case ID
C-1305
Case Type
Unsecured Database Port Exposed
Tactic / Technique
Credential Access / T1110
Detection Source
Wazuh SIEM
First Detected
May 12, 2025 at 02:14 AM
Last Activity
May 12, 2025 at 02:42 AM
Environment
Prod
Tags
AuthenticationVPNAccount Takeover

Affected Systems

View all (2)
VPN-GW-01Online
10.0.1.15 · Palo Alto GlobalProtect
Medium
svc-vpn-access
Privileged Account
Medium

Linked Alerts

View all (2)
Brute force login attempt detected
Wazuh · May 12, 2025 02:14 AM
High
Multiple failed logins - threshold exceeded
Wazuh · May 12, 2025 02:16 AM
Medium
Suspicious source IP geo-anomalous
Wazuh · May 12, 2025 02:18 AM
Medium

SLA & Timing

68%
Remaining
SLA24h 0m
DueDue in 6h 30m
Elapsed9h 42m
SLA Target: 24hTime remaining: 14h 18m

Stakeholders

Edit
AB
Alex B.
Case Owner
RI
Rajesh Iyer
Assignee
MR
Miguel R.
SOC Manager
IT
Ian T.
Infrastructure Team

Related Reports

View all
Weekly Security Summary
May 5 – May 11, 2025
PDF
Authentication Threat Report
April 2025
PDF

Export Case Summary

Download a summary of this case including details, evidence, and timeline.

Investigation Notes

Initial triage shows multiple failed VPN logins using the svc-vpn-access account from an external IP with no known business justification.

  • Verified account is a service account used by automation.
  • Source IP 203.0.113.45 not in allowlist.
  • No successful login observed.
  • Account locked as a precaution.
  • Monitoring for additional activity.
RI
Rajesh Iyer · May 12, 2025 03:02 AM (edited)
View full notes

Evidence Attachments (4)

View all
vpn_failed_logins_2025-05-12.log
72 KB · May 12, 02:16 AM
wazuh_alert_5501.json
18 KB · May 12, 02:18 AM
firewall_traffic_203.0.113.45.pcap
1.4 MB · May 12, 02:22 AM
account_lock_event.png
93 KB · May 12, 02:25 AM

Comments / Collaboration

RI
AB
Alex B.Owner· May 12, 2025 03:15 AM

Locked the svc-vpn-access account and added 203.0.113.45 to the firewall blocklist. Monitoring for any downstream activity.

Reply