Today is one of those Whiskey Tango Foxtrot kind of days. I've been tracking a real November Sierra since December, and even reported it. I figured it was a bug, so I submitted it to the security folks. Their response? "We're not the team for this problem." ok.
Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.
So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).
(2017-03-29T17:56:44) firewall: msg_id="3000-0150" Deny 1-Trusted 0-External 9840 tcp 20 64 [desktop_ip] 184.86.92.71 12766 80 offset 5 A 2936268642 win 342 signature_name="WEB-CLIENT WScript.Shell Remote Code Execution -1 (Ransomware A" signature_cat="Access Control" signature_id="1110895" severity="5" geo_dst="USA" msg="IPS detected" (HTTP-proxy-00)
(2017-03-23T08:35:36) firewall: msg_id="3000-0148" Deny 0-External Firebox 936 tcp 20 56 184.86.92.71 [office-ip] 80 1847 offset 5 A 2554649786 win 913 msg="tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).
That IP (184.86.92.71) is owned by non-other than Microsoft. They host the OfficeCat update content on Akamai:
(2017-03-29T17:56:45) http-proxy[2026]: msg_id="1AFF-0021" Allow 1-Trusted 0-External tcp [desktop_ip] 184.86.92.71 12768 80 msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.1" cats="Information Technology" op="GET" dstname="www.microsoft.com" arg="/office/offcat/2.5/en/offcat.nextversion.xml" geo_dst="USA" (HTTP-proxy-00)
I sent email to security at microsoft.com explaining how this first showed up in December during a Visio update (2AM kind of MSFT update). They responded with the "yeah, not our problem," kind of email.
The other November-Sierra involves a fast tripwire that implicated Microsoft again. That one won't go up on the blog until after I get a response from BigSoft's contact.
Fun times.
Now today I see two data points, one weird-o one-timer kind of probe. Yup, for real, a solo IP in the gigabytes of logs that my splunk eats. Yet this IP correlates with another IP that has been on my radar.
So I get out my splunk and pull a "deny" query on this IP. Not only does it generate IPS hits from my desktop, outbound to destination, but I see inbound activity from this IP (also denied, of course).
(2017-03-29T17:56:44) firewall: msg_id="3000-0150" Deny 1-Trusted 0-External 9840 tcp 20 64 [desktop_ip] 184.86.92.71 12766 80 offset 5 A 2936268642 win 342 signature_name="WEB-CLIENT WScript.Shell Remote Code Execution -1 (Ransomware A" signature_cat="Access Control" signature_id="1110895" severity="5" geo_dst="USA" msg="IPS detected" (HTTP-proxy-00)
(2017-03-23T08:35:36) firewall: msg_id="3000-0148" Deny 0-External Firebox 936 tcp 20 56 184.86.92.71 [office-ip] 80 1847 offset 5 A 2554649786 win 913 msg="tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).
That IP (184.86.92.71) is owned by non-other than Microsoft. They host the OfficeCat update content on Akamai:
(2017-03-29T17:56:45) http-proxy[2026]: msg_id="1AFF-0021" Allow 1-Trusted 0-External tcp [desktop_ip] 184.86.92.71 12768 80 msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.1" cats="Information Technology" op="GET" dstname="www.microsoft.com" arg="/office/offcat/2.5/en/offcat.nextversion.xml" geo_dst="USA" (HTTP-proxy-00)
I sent email to security at microsoft.com explaining how this first showed up in December during a Visio update (2AM kind of MSFT update). They responded with the "yeah, not our problem," kind of email.
The other November-Sierra involves a fast tripwire that implicated Microsoft again. That one won't go up on the blog until after I get a response from BigSoft's contact.
Fun times.