Man-in-the-middle Disrupted at Multinational

The Network: A law firm with 14 offices worldwide. Their team is supplemented 24/7 by EventTracker’s co-managed security solution.
 
The Expectation: Filtering web traffic is essential due to the fact that so many threats are web-borne. Web proxies are in effect with well-defined rules. WCCP is used to redirect traffic flow in real time
 
The Catch: Our SOC analysts observed suspicious network traffic that matched a pattern: WinHttp AutoProxy Request wpad.dat Possible BadTunnel. This appeared suspicious because the systems were connecting to the external IP addresses of 72.51.4.120 and 208.91.197.27, which are bad reputed and known for being involved in Anonymization services/Malware. Moreover, numerous malicious domains are associated with this IP address. The observed connection from these systems were to the domain name: http://wpad[.]utopia[.]net/wpad.dat/. 
 
The Find: The connection was being initiated because of the WPAD feature enabled on these systems: WPAD protocol is used to enable clients to auto-discover the proxy settings, so manual configuration is not needed. Moreover, the FQDNs were resolving to an external IP address and the connection to these domains/IP addresses was allowed on the firewall.
 
Such a behavior would have led to a potential man-in-the-middle attack, in which the system considers the corresponding domain as a proxy server and connects to it with the suffix /wpad.dat. This could lead all the web traffic to be monitored by the rogue proxy (in this case the external IP: 72.51.4.120 and 208.91.197.27) and cause a data leak.
 
The Fix: The EventTracker Security Operations Center (SOC) recommended that the client:
  • Block the malicious external IP addresses at the firewall.
  • Disable WPAD on this system – this can be done by opening the Proxy settings from the browser and disabling the “Automatically detect settings” option. This can also be done by GPO via registry settings.
  • Integrate Websense with EventTracker to trace the domain names for the connected IP addresses.
The Lesson:
  • WPAD should be disabled across the environment. If the systems are configured to use PAC files, the configuration should be added manually in the Proxy settings.
  • DNS servers should not be resolving domains with “wpad”, to external IP addresses. Web traffic with /wpad.dat in its FQDN should be blocked at the proxy level.