: A mid-size financial institution on the U.S. East Coast. Hundreds of devices on the internal network. Redundant network connectivity to the internet; top-of-the-line network equipment.
: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for the IT team.
: Careful review of firewall logs showed an attempted https request smuggling attack
(HRS). Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
: The firewall detected http.Request.Smuggling
attack from the External IP address 188.8.131.52
to Proxy server. Since connections were allowed, as expected, connections bypassed the Firewall and reached proxy. Connections were initiated to website www2.pplcnhld.com which is a known
: Devices handling HTTP requests in between the client and server are vulnerable to HRS. The following devices on the client side are prone to HRS attacks:
- Cache server used to cache the static pages to limit bandwidth traffic. Cache servers are prone to cache poisoning using HRS.
- Proxy server used to connect the internal LAN to the internet. Request hijacking can be possible by using proxy server.
- Firewall used to protect website or internal LAN from other networks. Firewalls are prone to Worm attack using HRS.
- Other devices such as SSL accelerator, IDS, Load balancer, and internet browsers are also prone to HRS attacks.
Our SOC responded to the customer with all investigation findings and recommended the following actions:
- Blocking the URL and IP addresses in the proxy and firewall.
- Investigate further on the internal source system and Proxy devices.
- Checking the browser and system infection and running the Anti-Virus scans.
- Integrating Proxy server with EventTracker.
- Hardening and updating Proxy and firewall with the IOCs.
: After examining the proxy logs, the outbound connection to the compromised website was identified and blocked on all external-facing firewalls. Dark trace was monitored for any further attempts to reach the problem site.
Perfect protection is not practical, so monitoring is necessary.