Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 8422 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection C2/Generic-A

MikeRM275

Hello,

    I am wondering if I am seeing false positives or not?  Every machine in my network hit on an IP address today according to ATP.  the IP address is 205.185.216.10.  Some show as IpTables and others as AFCd.  I checked the Advanced Threat Protection log and I do see the entries since 16:32.  I also checked the Web Filtering Log and I see multiple entries there with that as the destinationIP.  This is seeing the Windows Update application in there.  Though when I do an IP lookup on it, it shows for Highwinds Network group.  I have sent an email to abuse@hwng.net, and am preparing to send an email to Microsoft as it might be possible that Windows Update has been hijacked.

Just not sure if these are legitimate or not.  Plus maybe someone else was seeing the same thing.

 

Thank You.



This thread was automatically locked due to age.
  • 0

    The offending IP is being used by www.download.windowsupdate.com

     

    It looks to be an issue with microsoft, i turned on dns logging and the same ip that popped into the ATP log of having a dropped packet due to the ATP alert also had a dns entry trying to send a udp packet to windowsupdate. If you try to go to that link above, it first redirects to a non secured page www.update.microsoft.com/.../default.aspx then onto a secure page with a different url support.microsoft.com/.../windows-update-faq. And the non secured page when trying to browse to it via https has a broken cert  due to a weak signature algorithm. So it looks to be an issue on MS end and with their cert. 

  • 0 in reply to itguy1234

    That is what I thought and I am in contact with Microsoft right now, I put a scare in telling them that Windows Update may have been hijacked.  They are currently still on the line with me but say they are looking into the reason.

  • 0

    I have four UTMs where the ATP has triggered and they all point to 205.185.216.10.

    Googling that IP address shows that it is considered a malware confirmed IP address by several different sites. All of the source IP addresses going to that IP address have been Windows 10, Windows Server 2019, Windows Server 2012. In some cases, the Windows hosts are protected by Sophos Endpoint and if servers, protected by Intercept-X. In other cases, devices are protected by Kaspersky Small Business Security.

  • 0

    hi guys, I have the exact same alert on my UTM, coming from both my DNS servers. 205.185.216.10 seems to be the trigger for it.

     

    Are you certain that that www.download.windowsupdate.com uses this IP? I keep seeing servedby.flashtalking.com in my DNS debug logs. Doing a DNS lookup on whatismyip.com gives me this:

     

    IPv4 address for servedby.flashtalking.com
    Domain Name Server: 205.185.216.42
    Domain Name Server: 205.185.216.10

     

    is anyone else seeing this 'flashtalking' hostname in their DNS logs? I'm not certain if this IP is a bad actor, or if it's owned by microsoft. Can anyone chime in? thank you.

  • 0

    Our ATP started alarming today as well. All queries from our DNS server trying to resolve 205.185.216.10. I also see ATP triggering with the source IPs of 209.197.2.10 and 69.16.174.10 which are the Highwinds name servers. My assumption is that those were DNS responses being caught. 

    I would like to see a response from Sophos as to the legitimacy of this alarm. The last ATP alarm storm we went through was a false positive. 

    D

  • 0

    Ditto what other people have already said - I've had two UTMs trigger with the 205.185.216.10 IP address. In both cases the tracked IP addresses were from the local DNS servers, I'm hoping these are false positives, otherwise I have a problem (which given one of the locations is a closed office, with only a couple of servers running is hopefully unlikley).

  • 0 in reply to Mike Sumsion

    I have exactly the same on our UTM from 4 DNS Servers. no word yet from Sophos??

  • 0

    We have over 100 locations and almost all of them are having this same issue.  Im just trying to confirm this is not some command and control happy Memoral Day Zero Day!

  • +2

    Hello MikeRM275,

    Thank you for contacting the community.

    Just to confirm this was a False Positive and labs have fixed the issue already.

    This is the official KB with the information about this.

    ===

    False Positive detection for Threat ID: 811385046 that produced C2/Generic detections

    https://community.sophos.com/kb/en-us/135509

    ===

    At this point there is no action required, except to check that Pattern Download/Installation Interval is at least enable to check every 15 minutes. (Management >> Up2date >> Configuration.

    You can also confirm the pattern is up2date by running the command below, and make sure you have the latest APTP installed which is 9-35-908.

    utm1:/var/log # rpm -qa | grep u2d
    u2d-aws-9-291
    u2d-savi-9-15559
    u2d-avira4-9-7794
    u2d-ipsexception-9-6
    u2d-clvbrowser-9-44
    u2d-geoipxtipv6-9-109
    u2d-geoip-7-168
    u2d-man9-9-1027
    u2d-ipsbundle2-9-311
    u2d-aptp-9-35908
    u2d-owaspcrs-9-18
    ep-u2d-download-9.30-0.190218485.ga937bb2
    u2d-cadata-9-110
    u2d-appctrl43-9-62
    u2d-ohelp9-9-1071

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?