Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 298894 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    On the phone now and asking if they're aware/what the scoop is as one of our customers got hit pretty hard by it over the weekend and is very concerned.

  • 0 in reply to lferrara

    think not there will be a fix.. may this was a massive attack from chinese hackers..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    From looking at the logs received by a client and talkiing with Sophos Support this looks like a massive spoof attack and portscan across the internet.

    The logs start with a portscan then move into a massive set of port 53 traffic which may or may not be still ongoing for some users (is still ongoing for our affected clientelle).

    A suggested concern I made is that this is an attempt at a glibc attack but luckily he is on 9.355-1. Is everyone receiving this on 9.355-1 or other versions as well?

    A mitigation that has been employed is to be more aggressive with GEO-IP blocking which seems particularly effective in lightening the load if you block from China

    China is definitely active today: http://map.norsecorp.com/#/

    Port 23 was also heavily included in the portscan

    Note: this is not an official statement nor an official diagnosis

  • 0 in reply to Emile Belcourt

    I am running 9.355-1 on both UTMs. For business reasons, it is not possible to GEO-IP block China for one of the UTMs. 

    I assume that this attack is very widespread. I can't imagine that they have somehow fingerprinted and targeted UTMs only. Has anyone seen reports about it in the general media?

  • 0 in reply to utmadm

    My google fu isn't picking anything up yet, but the target IP on our clients machine was 165.21.104.134

    This is an IP address in Singapore but my concern is what they were trying to masquerade with this.

Unfiltered HTML