Netsurion logo Netsurion logo
  • Managed Threat Protection
    Back
    Managed Threat Protection
    EventTracker

    Powerful threat prediction, prevention, detection, and response along with compliance in a scalable, simple managed solution.

    • Solution Overview Managed Threat Protection
    • Platform Details Threat Protection Platform
    Key Capabilities
      Back
      Key Capabilities
    • Security Operations Center
    • SIEM
    • Endpoint Protection
    • Threat Detection & Response
    • Intrusion Detection
    • Network Traffic Analysis
    • Vulnerability Assessment
    • Threat Hunting
    Business Applications
      Back
      Business Applications
    • Banking & Financial Services
    • Healthcare & Pharmaceutical
    • Retail & Hospitality
    • Regulatory Compliance
  • Secure Edge Networking
    Back
    Secure Edge Networking
    BranchSDO

    All-in-one networking solution that combines network connectivity, agility, security, and compliance in an affordable managed solution.

    • Solution Overview Managed Secure Edge Networking
    • Platform Details Edge Networking Platform
    Key Capabilities
      Back
      Key Capabilities
    • Network Operations Center
    • Secure SD-WAN
    • Next-Gen Firewall
    • Network Threat Response
    • Network Segmentation
    • Cellular Failover
    • Wi-Fi Management
    • PCI DSS Compliance
    Business Applications
      Back
      Business Applications
    • Restaurant & Hospitality
    • Retail & C-Store
    • Branch Offices
    • Point-of-Sale Solutions
  • Partners
    Back
    Partners
    Partner Program Overview

    Accelerate business growth through our award-winning partner program.

    • Partner Program Overview
    • Managed Service Provider Program
    Partner Program Overview Image
  • Insights
    Back
    Insights
    Insights
    • View All
    • Cybersecurity
    • Edge Networks
    • Compliance
    • SOC Catch of the Day
    • Webcasts & Events
    Insights Image
  • Company
    Back
    Company
    About Us
    • About Netsurion
    • Leadership
    • News
    • Careers
    • Contact Us
    About Us Image
  • Support
    • myNetsurion
    • BranchSDO Support
    • EventTracker Support
  • Support
  • myNetsurion
  • Contact Us
  • How to Buy

SOC Catch of the Day

We review billions of logs daily to keep you safe from advanced threats.

HomeInsights Catch of the Day Man-in-the-middle Disrupted at Multinational

Man-in-the-middle Disrupted at Multinational

The Network: A law firm with 14 offices worldwide. Their team is supplemented 24/7 by EventTracker’s co-managed security solution.
 
The Expectation: Filtering web traffic is essential due to the fact that so many threats are web-borne. Web proxies are in effect with well-defined rules. WCCP is used to redirect traffic flow in real time
 
The Catch: Our SOC analysts observed suspicious network traffic that matched a pattern: WinHttp AutoProxy Request wpad.dat Possible BadTunnel. This appeared suspicious because the systems were connecting to the external IP addresses of 72.51.4.120 and 208.91.197.27, which are bad reputed and known for being involved in Anonymization services/Malware. Moreover, numerous malicious domains are associated with this IP address. The observed connection from these systems were to the domain name: http://wpad[.]utopia[.]net/wpad.dat/. 
 
The Find: The connection was being initiated because of the WPAD feature enabled on these systems: WPAD protocol is used to enable clients to auto-discover the proxy settings, so manual configuration is not needed. Moreover, the FQDNs were resolving to an external IP address and the connection to these domains/IP addresses was allowed on the firewall.
 
Such a behavior would have led to a potential man-in-the-middle attack, in which the system considers the corresponding domain as a proxy server and connects to it with the suffix /wpad.dat. This could lead all the web traffic to be monitored by the rogue proxy (in this case the external IP: 72.51.4.120 and 208.91.197.27) and cause a data leak.
 
The Fix: The EventTracker Security Operations Center (SOC) recommended that the client:
  • Block the malicious external IP addresses at the firewall.
  • Disable WPAD on this system – this can be done by opening the Proxy settings from the browser and disabling the “Automatically detect settings” option. This can also be done by GPO via registry settings.
  • Integrate Websense with EventTracker to trace the domain names for the connected IP addresses.
The Lesson:
  • WPAD should be disabled across the environment. If the systems are configured to use PAC files, the configuration should be added manually in the Proxy settings.
  • DNS servers should not be resolving domains with “wpad”, to external IP addresses. Web traffic with /wpad.dat in its FQDN should be blocked at the proxy level.
Related Catches
  • Dubious Document Destroyed at Law Firm
  • Phony Performance Warning Foiled
  • Vulnerable VoIP
Latest Catches
  • Cryptomining via PowerShell Caught at Retailer
  • MITRE ATT&CK Enriches Ransomware Detection
  • Keylogger on MSP Endpoints
Catch of the Day Catch of the Day RSS Feed

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept

Contact Us

  • (713) 929-0200
  • BranchSDO Support
  • EventTracker Support
  • partners@netsurion.com
  • sales@netsurion.com

Partners

  • Partner Program Overview
  • Managed Service Provider Program
  • Partner Portal Login
  • Find a Partner

Quick Links

  • Why Netsurion?
  • Blog
  • Careers
  • Managed Threat Protection
  • Secure Edge Networking

Follow Us:

Stay in the Loop

  • Terms of Use
  • |
  • Privacy Policy
  • |
  • Descriptions of Services
  • |
  • Contact Us
  • |
  • Sitemap
  • |

Copyright © Netsurion. All rights reserved