Azure VM - Several Blocked Sites Daily (Ports 80, 443, 3389)

[Paul125]

Hello. Last week, I installed MEP on all of our company workstations and servers, including our application server hosted on Azure. Several times per day, MEP reports blocking malicious websites on ports 80, 443, and 3389. 

I am new to the Nebula product and not an expert in Azure networking management. What can I do to research this issue? We use ports 80 and 443 for our applications we provide to our clients. We have a SQL back-end tied to Microsoft's IIS service on a web page. I presume port 3389 was set up by Microsoft's system so we can remote into the machine. Is there a better way to do this? I included a screenshot of the blocked website report.

Thank you.

[KDawg]

Hello Paul Thanks for reaching out to Malwarebytes

Regarding these blocks, this appears the product to be doing its job as expected and stopping known malicious IP's from your server.

The IP addresses you see listed are known to be used for attacks, and is why they were added to our blacklist.

These blocks mean the server is available to the open internet on those ports, this requires the ports to be Port Forwarded through Network Address Translation. These are configurations in the firewall or router that allow this access in from the internet. Malicious actors use Port scanners to search the internet and look for these open ports to try and exploit, or brute force guess an administrator password.

The blocks are likely port scan or login attempts on 3389 to try and remote into your network via RDP. Most of these actors are associated with Ransomware, once they are able to successfully guess (automated to guess many times per second) the RDP admin password, they log in manually disable all security and drop Ransomware. These blocks are a canary in the coal mine, that actions need to be taken on network configuration to prevent a Ransomware attack.

We have our guide on locking down RDP further here, but I recommend disabling and closing the NAT translation, and finding an alternative remote access tool that doesn't require open NAT ports:
https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

Protecting an internet facing website, requires much more than AV on the server hosting it, for ports 80 and 443 its even more complicated. That gets past my personal expertise with Azure websites, but if you have trouble locking it down and preventing those blocks, I can recommend using managed webserver hosting instead of configuring custom servers.

Let us know if you have questions on this moving forward, or with the RDP lock-down guide provided, with those steps we should be able to stop the RDP brute force activity?

We can open a business support ticket if necessary to continue working together or there is any trouble.

Many Thanks,