ArmorPoint analysts successfully identified and prevented an RCE (Remote Code Execution) attack while it was in progress, safeguarding and preventing a PII breach that would have thousands of potential victims.

Identifying the RCE Attack

On a quiet weekend late at night, Cybereason alerted ArmorPoint's analysts to a Windows process that was engaging in unexpected activity. The process was downloading a remote access executable and installing it on the customer's server.

Although it's common for many RMM agents and late-night IT team server maintenance to perform such activities, ArmorPoint analysts erred on the side of caution and engaged in incident response due to the unusual nature of the activity for the organization.

Thanks to the diversity of experience in technical backgrounds, we quickly identified the server as hosting large volumes of PII. This elevated the level of urgency and actions the incident response team took to prevent and contain the activity.

Underlying Factors at Play

After containment and the organization’s IT team getting involved to remove the software we conducted further review of the root cause of the incident. This led to the discovery of multiple vulnerable open ports on the servers, as well as an unpatched RCE vulnerability on the software installed on the server that allowed for the initial access.

Cybereason was critical in identifying the suspicious behavior that was occurring. After incident handling and containment, the organization’s IT team was quick to implement proper ACLs on their firewall and patch the vulnerabilities in the affected software.

Lessons Learned

Having a SIEM and EDR present in your environment is only a part of keeping your network and endpoints secure. We recommend regular review of the placement of devices on the network and establish a DMZ for servers that must be public-facing. It's also important to keep sensitive information on servers segmented behind a firewall within the LAN out of public reach.

Remember to regularly review devices for open ports and listening services. Regularly change passwords for unused service accounts and regularly test and implement patching when available from software vendors to prevent vulnerability exploitation. ArmorPoint provides easy and convenient vulnerability scanning services and reporting to help your team better understand what fixes to implement within your environment.

About ArmorPoint

ArmorPoint, LLC is a managed cybersecurity solution that combines the three pillars of a robust cybersecurity program — people, processes, and technology — into a single solution. Designed by cybersecurity experts, ArmorPoint’s cloud-hosted SIEM technology and extended detection and response capabilities enable businesses to implement a highly effective, scalable cybersecurity program. With customizable pricing available, every ArmorPoint plan offers a dynamic level of managed security services that support the risk management initiatives of all companies, regardless of available budget, talent, or time. ArmorPoint is developed and powered by Trapp Technology, Inc., a Phoenix-based IT managed services provider. To learn more about ArmorPoint, visit


Ashley Capps

Chief Marketing Officer, Trapp Technology and ArmorPoint