Dear,
We are facing a very strange situation regarding the very frequent alerts we are getting for C2/Generic-A.
Most of these alerts have origin addresses, from DNS servers, such as 8.8.8.8 for example, but what is intriguing is what in the details in Log Viewer, to URLs in alerts like these: url="tattooprestige .com" / url="sarymar.com" / url="123-gmbh.de" / url="foods-pro.com". These targets are apparently listed in IOC's RansomExx as possibly malicious.
The issue is that we were not able to identify the origins of these alerts, apparently some originate from Sophos Firewall itself.
Can anyone who has experienced something similar confirm if this is a false positive or could it be a real threat?
Below are some of the alerts we got in Log Viewer:
messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="-" protocol="UDP" src_port="53" dst_port="64581" src_ip="8.8.8.8" dst_ip="10.3.153.2" url="benreat.com" threat="C2/Generic-A" event_id="F65CE07D-0A82-451C-8BC0-9E99D122B26D" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""
messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="*" protocol="UDP" src_port="53" dst_port="62845" src_ip="8.8.8.8" dst_ip="10.3.153.2" url="foods-pro.com" threat="C2/Generic-A" event_id="C5C2FCF3-AE89-4829-AE70-007C567F2C54" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""
messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="" protocol="UDP" src_port="53" dst_port="42394" src_ip="8.8.8.8" dst_ip="172.30.0.34" url="tedxns.com" threat="C2/Generic-A" event_id="6D65FA54-4DAB-45C4-B557-39B0E5EFA272" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""
This thread was automatically locked due to age.
