We are hosting an unsupported system called Care Free (http://www.carefreegroup.com/
) for a customer that we provide IT support and Infrastructure for on one of our Windows 2016 Servers running SQL 2017 and KES 11.0.6499 pf5101
As of yesterday only Database release date: 04/09/2019 06:39:00
We've been receiving an alert from the NTP component on this server alerting us of a Bruteforce.Generic.MSSQL.b.
on port 1433
of the server from clients running the Care Free software.
This issue can be recreated when the client accesses a specific location within the application.
The NTP block is causing a complete loss of connectivity to the SQL database intermittently making the application unusable.
Obviously with the nature of the attack being a brute force I've had the affected system users change their password to a much more complex one (it is a local SQL account)
I've been in touch with the vendor to identify what the precise workflow within the application is actually doing. However, is there any chance we could maybe identify whether the new database release might be a false positive?
Event type: Network attack detected
Application\Name: Kaspersky Endpoint Security for Windows
User: F4\xxxxxxxxxx (Active user)
Component: Network Threat Protection
Object: TCP from 172.xx.xx.xx to 172.x.x.x:1433
Object\Type: Network packet
Object\Name: TCP from 172.x.x.x to 172.x.x.x:1433
Database release date: 04/09/2019 12:08:00