Hafnium Attack - how was Zyxel helping to protect

Mario
Mario Posts: 104  Ally Member
First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
edited April 2021 in Security
On 3.3, Microsoft distributed important security updates for Exchange Server, which were already used for 0-day attacks at that time.
We support customers who are probably also affected by the attack.
I would like to know from Zyxel which IOCs were detected by the Zyxel USG / ATP at which point in time.
(e.g. did IDP or IP Repulation detect the attacks).
Thanks for your feedback
Mario

All Replies

  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    edited March 2021
    Well, today (9.3.21) the IP 188.166.162.201 is still not detected.
    Why this isn't listed in the IP reputation?





  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Hi @Mario,

    IP reputation database is major focus on IPs detect with scan/attack/sent spams mail behavior, IPs of proxy server, Tor network, or botnet C&C servers.

    This IP is a compromised site so that it not be categorized in the cloud database. Instead, it already be categorized as a phishing site in URL threat filter cloud database.

    However, you can add the compromised IP addresses to Black list in IP Reputation setting manually.

    In the article you provided, the malicious payload download site with IP address of 188.166.162.201 was got from previous malicious stager site http[:]//p.estonine.com/p?e

    Also, the others stager sites http[:]//cdn.chatcdn.net/p?low210305 or http[:]//cdn.chatcdn.net/p?hig210305 had in the URL threat filter cloud database.
    Leverage URL Threat Filter can prevent clients to access this IP site in advance.

    Here the recommendation to mitigate this kind of advanced threats, is to deploy multiple layered protection with the following Zyxel Security services.

    1- Intrusion Detection and Prevention:

    IDP makes deep-packet inspection against known attacks from network.
    Here you can find more information about IDP;
    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/

    2- Reputation Filter(Supported by ATP models):

    Reputation filter leverage IP/DNS/URL filter technology to block botnet infection and prevent drive-by download attack.

    3- SSL Inspection:

    SSL Inspection decrypts traffic that encrypted by TLS and send them to UTM engines in order to inspect the content of the traffic.

    Threats can also be encrypted. In order to inspect them, we will need SSL Inspection module.

    4- Anti-Malware/Anti-Virus:

    Anti-Malware identifies malwares by their signatures. It scans files at the gateway for viruses and other threats.

    5- Sandboxing(Supported by ATP models):

    Sandboxing is an isolated cloud environment that contains unknown files to identify new malware types that conventional static security mechanism cannot detect, ensuring protection against zero-day attacks.


    Thus, for mitigating the threats on the internet, users need more than one solution for keep their network safer.

    Best regards.

Security Highlight