Netsurion logo Netsurion logo
  • Our Solution
    Back
     Image
    OUR SOLUTION
    • Capabilities
      Predict, prevent, detect, and respond
    • How It Works
      People, platform, and process
    • Use Cases
      By threat, environment, or industry
    • Talk to a Cybersecurity Advisor
      See how we deliver managed threat protection
  • WHY NETSURION
    Back
     Image
    WHY NETSURION
    • Key Business Benefits
      Powerful yet practical cybersecurity
    • Industry Leadership
      Perennial recognition for innovation
    • Customer Success
      Driven to be your trusted partner
  • Partners
    Back
    Partner Program Overview Image
    PARTNER PROGRAM OVERVIEW
    • Partner Program Benefits
      Our solutions are built for service providers
    • Become a Partner
      Grow your cybersecurity practice
  • Insights
    Back
     Image
    VIEW ALL INSIGHTS
    • Articles
      Read the latest from our blog
    • SOC Catch of the Day
      Real stories of threats we reel in daily
    • Cybersecurity Q&A Videos
      Answering your toughest cybersecurity queries
    • Webcasts & Events
      Join us in-person or online to learn more
  • Company
    Back
     Image
    MEET NETSURION
    • Leadership
      Meet our management team
    • News
      Press releases and news stories
    • Careers
      Check out our current openings
    • Contact Us
      Talks to sales or support
  • MyNetsurion
  • Support
  • Partner Portal
  • Contact Us
SOC Catch of the Day

We review billions of logs daily to keep you safe from advanced threats.

HomeInsights Catch of the Day Man-in-the-middle Disrupted at Multinational

Man-in-the-middle Disrupted at Multinational

The Network: A law firm with 14 offices worldwide. Their team is supplemented 24/7 by Netsurion’s co-managed security solution.
 
The Expectation: Filtering web traffic is essential due to the fact that so many threats are web-borne. Web proxies are in effect with well-defined rules. WCCP is used to redirect traffic flow in real time
 
The Catch: Netsurion’s SOC analysts observed suspicious network traffic that matched a pattern: WinHttp AutoProxy Request wpad.dat Possible BadTunnel. This appeared suspicious because the systems were connecting to the external IP addresses of 72.51.4.120 and 208.91.197.27, which are bad reputed and known for being involved in Anonymization services/Malware. Moreover, numerous malicious domains are associated with this IP address. The observed connection from these systems were to the domain name: http://wpad[.]utopia[.]net/wpad.dat/. 
 
The Find: The connection was being initiated because of the WPAD feature enabled on these systems: WPAD protocol is used to enable clients to auto-discover the proxy settings, so manual configuration is not needed. Moreover, the FQDNs were resolving to an external IP address and the connection to these domains/IP addresses was allowed on the firewall.
 
Such a behavior would have led to a potential man-in-the-middle attack, in which the system considers the corresponding domain as a proxy server and connects to it with the suffix /wpad.dat. This could lead all the web traffic to be monitored by the rogue proxy (in this case the external IP: 72.51.4.120 and 208.91.197.27) and cause a data leak.
 
The Fix: Netsurion’s SOC recommended that the client:
  • Block the malicious external IP addresses at the firewall.
  • Disable WPAD on this system – this can be done by opening the Proxy settings from the browser and disabling the “Automatically detect settings” option. This can also be done by GPO via registry settings.
  • Integrate Websense with EventTracker to trace the domain names for the connected IP addresses.
The Lesson:
  • WPAD should be disabled across the environment. If the systems are configured to use PAC files, the configuration should be added manually in the Proxy settings.
  • DNS servers should not be resolving domains with “wpad”, to external IP addresses. Web traffic with /wpad.dat in its FQDN should be blocked at the proxy level.
Related Catches
  • Dubious Document Destroyed at Law Firm
  • Phony Performance Warning Foiled
  • Vulnerable VoIP
Latest Catches
  • Trojan Hunted at a Medical Center
  • Ransomware Detected & Blocked in Business Services Firm
  • MITRE ATT&CK Guides MSP on Cobalt Strike Threat Mitigation

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept

Contact Us

  • 1 (877) 333-1433
  • Customer Support
  • partners@netsurion.com
  • sales@netsurion.com

Partners

  • Partner Program Overview
  • Partner Program Benefits
  • Become a Partner
  • Partner Portal Login

Quick Links

  • Why Netsurion
  • Blog
  • Careers
  • Our Solution
SOC 2
  • Terms of Use
  • |
  • Privacy Notice
  • |
  • Soc 2 Type 2 Compliant
  • |
  • Contact Us
  • |
  • Sitemap
  • |

Copyright © 2023 Netsurion. All rights reserved.