Over the past several days we have been working with a set of our partners regarding a security vulnerability at end client sites where partners utilized Continuum’s legacy IP Scanner tool. This tool created an admin account called SAAZDEPUSR, and the user credentials for that account were compromised and leaked online.
As part of our investigation, we have also noticed suspicious activity on sites not associated with the legacy IP Scanner tool. We have observed unauthorized admin accounts that have been created at sites. We don’t know if this is related to the original issue, but as a result we are paying closer attention to all sites and noting any suspicious activity and investigating as needed.
As a result, we are strongly recommending that all partners check for suspicious activity and any fraudulent administrative accounts, system accounts, or any accounts with elevated privileges at all client sites. In addition, consider closing all ports that are not needed for you to conduct business.
We have a list of known suspicious accounts posted and we are running a script to disable known suspicious accounts. We have also created a script to display all users across all of your sites so you can review and validate each more easily. Here is a link to the report instructions.
In some cases, we have observed open RDP access and other security settings that should be tightened immediately. Based upon our initial findings, we’ve posted actionable recommendations that you should take immediately.
True remediation and protection requires us to work hand-in-hand together as partners. We will continue to take action moving forward and we strongly urge you to:
- Take independent and aggressive action to contain this security incident in the way you would contain any security incident.
- Pay close attention to the regular updates and recommendations that we are posting and follow those recommendations wherever applicable.
- Review the laws and regulations that are applicable to you and your clients’ businesses and determine whether to communicate to your clients.
These kinds of attacks are increasingly part of the digital world we live in. As your partner, we will continue to work aggressively with our expert forensic firm and the FBI to investigate the situation. The Information Security page will be updated regularly and please reach out to your account team with questions.
Continuum Managed Services
Send tips and news to [email protected].