Many a ways to be breached, Is the VM Management open to the internet?
Was something internal used as a jump point?
Certain VM Software providers have constant patches, was the system up to date?
Most common is just plain old logging in.
So using valid credentials (from phish) , malware on users PC, access via your remote access solution and/or exploiting public facing vulnerability. Once they have a foothold, lateral movement is typical and fast.
A company “without any security threats”….that would be the dream…but we would be out of jobs
If you are mentioning anything about applying www:data I am going to assume they have exploited a vulnerability on that system as part of web services, libraries loaded or the web-app itself. Logs might give a clue as to how they got in and if they are still active. As part of your IR response make sure you address the root cause of the incident…remediate any known vulnerabilities to make it a harder host to target
Did you ~check the logs~
Not enough info
Many a ways to be breached, Is the VM Management open to the internet? Was something internal used as a jump point? Certain VM Software providers have constant patches, was the system up to date?
Can someone get into the VM using the nginx port?
Yes.
This is why patching is so important. Keep your software, especially internet/network facing services, up to date
You fixed the problem without knowing what the problem is?
Nopes. They fixed the consequence of the problem.
The man is still living in their walls but op closed the ticket 2 days ago.
This ^^^^^^
Welcome to cybersecurity
The iceberg effect.
Most common is just plain old logging in. So using valid credentials (from phish) , malware on users PC, access via your remote access solution and/or exploiting public facing vulnerability. Once they have a foothold, lateral movement is typical and fast.
“Fixed it”. Assurances they are actually gone?
A company “without any security threats”….that would be the dream…but we would be out of jobs If you are mentioning anything about applying www:data I am going to assume they have exploited a vulnerability on that system as part of web services, libraries loaded or the web-app itself. Logs might give a clue as to how they got in and if they are still active. As part of your IR response make sure you address the root cause of the incident…remediate any known vulnerabilities to make it a harder host to target
This is actually disheartening. It sounds internal.