Hafnium Attack - how was Zyxel helping to protect
On 3.3, Microsoft distributed important security updates for Exchange Server, which were already used for 0-day attacks at that time.
We support customers who are probably also affected by the attack.
I would like to know from Zyxel which IOCs were detected by the Zyxel USG / ATP at which point in time.
We support customers who are probably also affected by the attack.
I would like to know from Zyxel which IOCs were detected by the Zyxel USG / ATP at which point in time.
(e.g. did IDP or IP Repulation detect the attacks).
Thanks for your feedback
Mario
0
All Replies
-
Well, today (9.3.21) the IP 188.166.162.201 is still not detected.This IP is hardcoded on some scripts see on https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-serversWhy this isn't listed in the IP reputation?
0 -
Hi @Mario,
IP reputation database is major focus on IPs detect with scan/attack/sent spams mail behavior, IPs of proxy server, Tor network, or botnet C&C servers.
This IP is a compromised site so that it not be categorized in the cloud database. Instead, it already be categorized as a phishing site in URL threat filter cloud database.
However, you can add the compromised IP addresses to Black list in IP Reputation setting manually.
In the article you provided, the malicious payload download site with IP address of 188.166.162.201 was got from previous malicious stager site http[:]//p.estonine.com/p?e
Also, the others stager sites http[:]//cdn.chatcdn.net/p?low210305 or http[:]//cdn.chatcdn.net/p?hig210305 had in the URL threat filter cloud database.
Leverage URL Threat Filter can prevent clients to access this IP site in advance.
Here the recommendation to mitigate this kind of advanced threats, is to deploy multiple layered protection with the following Zyxel Security services.
1- Intrusion Detection and Prevention:
IDP makes deep-packet inspection against known attacks from network.
Here you can find more information about IDP;
https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/
2- Reputation Filter(Supported by ATP models):
Reputation filter leverage IP/DNS/URL filter technology to block botnet infection and prevent drive-by download attack.
3- SSL Inspection:
SSL Inspection decrypts traffic that encrypted by TLS and send them to UTM engines in order to inspect the content of the traffic.
Threats can also be encrypted. In order to inspect them, we will need SSL Inspection module.
4- Anti-Malware/Anti-Virus:
Anti-Malware identifies malwares by their signatures. It scans files at the gateway for viruses and other threats.
5- Sandboxing(Supported by ATP models):
Sandboxing is an isolated cloud environment that contains unknown files to identify new malware types that conventional static security mechanism cannot detect, ensuring protection against zero-day attacks.
Thus, for mitigating the threats on the internet, users need more than one solution for keep their network safer.
Best regards.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight