Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 298904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Can someone contact the Sophos support and post the fix?

    Hope that the workaround is not to disable ATP at all!

  • 0 in reply to lferrara

    think not there will be a fix.. may this was a massive attack from chinese hackers..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    From looking at the logs received by a client and talkiing with Sophos Support this looks like a massive spoof attack and portscan across the internet.

    The logs start with a portscan then move into a massive set of port 53 traffic which may or may not be still ongoing for some users (is still ongoing for our affected clientelle).

    A suggested concern I made is that this is an attempt at a glibc attack but luckily he is on 9.355-1. Is everyone receiving this on 9.355-1 or other versions as well?

    A mitigation that has been employed is to be more aggressive with GEO-IP blocking which seems particularly effective in lightening the load if you block from China

    China is definitely active today: http://map.norsecorp.com/#/

    Port 23 was also heavily included in the portscan

    Note: this is not an official statement nor an official diagnosis

  • 0 in reply to Emile Belcourt

    I am running 9.355-1 on both UTMs. For business reasons, it is not possible to GEO-IP block China for one of the UTMs. 

    I assume that this attack is very widespread. I can't imagine that they have somehow fingerprinted and targeted UTMs only. Has anyone seen reports about it in the general media?

Reply
  • 0 in reply to Emile Belcourt

    I am running 9.355-1 on both UTMs. For business reasons, it is not possible to GEO-IP block China for one of the UTMs. 

    I assume that this attack is very widespread. I can't imagine that they have somehow fingerprinted and targeted UTMs only. Has anyone seen reports about it in the general media?

Children
Unfiltered HTML