02-11-2020 06:16 AM
Things appeared to go sideways yesterday (02/10) with regard to the data in the SLIC feed - as we received 40+ alerts of C&C activity as users were browsing to www.google.com - the destination IPs were what is expected for Google
The destination C&C server group in question was Azorult
Today it seems to have returned to normal
Couple of questions:
I'm looking for a way to query the IP addresses in a given SLIC feel host group
Curious if anybody else saw similar behavior
Thanks,
Bob
02-12-2020 09:43 PM
We have no option to look IP in the SLIC database. This data is OEMed and they don't give permission to do it.
Recently there are many cloud-based hosted services like Google Cloud, AWS and so on. If one of the public hosted IP is infected malware and become a one of botnet, SLIC will add the IP in the list. In another case, our vendor's honey pod finds attacks that has a crafted source IP same as Google-owned and adds it to the list.
If you find this kind of issue, please contact TAC and they can escalate it to OEM vendor to resolve it.
In your case, probably the vendor gets a support request from someone who owns/runs the IP and fix it. Security Intelligence is based on mutual cooperation, so customer feedback is important to the accurate database maintain.
10-22-2020 02:03 AM
We have experienced similar cases several times, mostly associated with Azorult and Smokeloader.
As was stated above, I also think this will probably happen bcause Google or other service providers have malware hosted on one server and this IP gets flagged as C&C server which triggers the events for normal google traffic.
As far as I know, Cisco is working on a migration for the security intelligence feed to TALOS, so I guess we can expect a change for this behaviour in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide