Solved: "However, events on incoming

svillagrana · ‎09-26-2016

I'm getting this email notification, but I don't know if this is just a notification or if the network is in danger.

here is what the exact email says.

[1:40268:1] "MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected" [Impact: Vulnerable] From "xx.xxx.x.xxx" at Mon Sep 26 17:52:05 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 104.47.37.73:15269 (united states)->xx:xxx:xxx:xxx:25 (unknown).

Is my network being compromised, or is this just a notification that it stopped the malware? I've been getting this email notification consistently today, and we've never had an issue before.

thanks,

Binyam Demissie · ‎09-28-2016

Hi svillagrana,

In the last couple of days there has been a lot of reports of 1:40268:1 (Rev 1 ) firing on email signature jpg images and as a result the rule has been modified and is pending review. A new revision of the rule (Rev 2) will be available in future SRU updates.

That said, as Kevon advised you might want to investigate this internally to determine if this is FP or not. If this is firing on outgoing emails signature jpg images, chances are it could be FP. However, events on incoming emails should be further investigated internally to determine if its from a trusted source.

Please feel free to contact Firepower TAC for further queries.

Thanks,

~ Binyam

View solution in original post

kwalcott · ‎09-26-2016

Hello svillagrana

The intrusion event is alerting you that the Firepower sensor is seeing traffic matching this intrusion rule in your network traffic.

More information regarding this specific Malware can be found below:

https://virustotal.com/en/file/64cc212853359ec2164ceb142961db25452e576a94bc1e092417eb4cd2bf9186/analysis/

Here is some additional information regarding the malware: http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

So the rule is written to detect traffic matching malicious network traffic associated with this Malware in traffic coming from $EXTERNAL_NET (IP addresses external to your local subnet) going to your SMTP servers to TCP Port 25 (SMTP).

You would need to investigate the source of this traffic and why you would be receiving such traffic directed at your Mail servers.

The intrusion event would also have a packet capture available with the packet that triggered the intrusion event for further analysis.

Yonglu Jian · ‎09-27-2016

We opened a case with Cisco TAC and the FirePower team replied that this had been identified as false-positive.

svillagrana · ‎09-28-2016

So what can I do about the 50+ email notifications that I'm getting per day and throughout the night?

Jetsy Mathew · ‎09-28-2016

Hello Team,

Please disable the signature as the new release of SRU will be out soon.

Rate and mark correct if the post helps you.

Regards

Jetsy

rwoolery1 · ‎09-29-2016

As of SRU number: 2016-09-28-001, no change. We have moved this to Alert only. Much of the traffic was from customers we have had for a long time. We will continue to monitor, but I believe everything we are seeing is FP at this point.

Matthew Franks · ‎10-05-2016

This was resolved in the 2016-09-30 SRU.

Thanks,

Matthew Franks

ale · ‎09-28-2016

We are getting the same messages from our FirePower system.

So do we just disable the signature or what is the proposed solution from TAC?

Are they fixing their IPS Signatures and we update?

Thanks for a reply

Regards

Alex

Jacques Brouwers · ‎09-28-2016

Below is their response. However there is no ETA for the new SRU. We have decided to leave the rule in-place and just delete the 100+ messages per day until it is resolved.

-------------------------------------------------------

Action Plan: Explain issues with 40268

Our research team TALOS has confirmed that recently released SID 1:40268:1 is generating false positives for customers.

A new revision is going through the QA process now and we expect it to be released in one of the next SRU updates. For the time being, you can set 40268 to generate events only or disable it until the new revision is out.

Hypermarcas SA · ‎09-28-2016

Hi all

I have the same issue here. We are investigating but looks like a FP. We will wait the next SRU to correct this FP.

Thx,

~Pablo

Binyam Demissie · ‎09-28-2016

Hi svillagrana,

In the last couple of days there has been a lot of reports of 1:40268:1 (Rev 1 ) firing on email signature jpg images and as a result the rule has been modified and is pending review. A new revision of the rule (Rev 2) will be available in future SRU updates.

That said, as Kevon advised you might want to investigate this internally to determine if this is FP or not. If this is firing on outgoing emails signature jpg images, chances are it could be FP. However, events on incoming emails should be further investigated internally to determine if its from a trusted source.

Please feel free to contact Firepower TAC for further queries.

Thanks,

~ Binyam

s.buskus · ‎09-28-2016

"However, events on incoming emails should be further investigated..."

All of mine are incoming. The rule is written to trigger on incoming SMTP.

My question is, if the rule is creating false positives, will it also create a true positive for a malicious attacks? If the rule will not trigger a true positive than I will disable the rule.

Jacques Brouwers · ‎09-28-2016

We have the same trouble and also just opened a case. Hopefully they already have the new SRU update if ours is determined to be a false-positive.