A law firm with 14 offices worldwide. Their team is supplemented 24/7 by SIEMphonic, EventTracker’s co-managed security solution.
Filtering web traffic is essential due to the fact that so many threats are web-borne. Web proxies are in effect with well-defined rules. WCCP
is used to redirect traffic flow in real time
Our SOC analysts observed suspicious network traffic that matched a pattern: WinHttp AutoProxy Request wpad.dat Possible BadTunnel
. This appeared suspicious because the systems were connecting to the external IP addresses of 18.104.22.168
, which are bad reputed and known for being involved in Anonymization services/Malware. Moreover, numerous malicious domains are associated with this IP address. The observed connection from these systems were to the domain name: http://wpad[.]utopia[.]net/wpad.dat/.
The connection was being initiated because of the WPAD feature enabled on these systems: WPAD protocol is used to enable clients to auto-discover the proxy settings, so manual configuration is not needed. Moreover, the FQDNs were resolving to an external IP address and the connection to these domains/IP addresses was allowed on the firewall.
Such a behavior would have led to a potential man-in-the-middle attack, in which the system considers the corresponding domain as a proxy server and connects to it with the suffix /wpad.dat. This could lead all the web traffic to be monitored by the rogue proxy (in this case the external IP: 22.214.171.124 and 126.96.36.199) and cause a data leak.
Recommendation to the client by our ECC:
- Block the malicious external IP addresses at the firewall.
- Disable WPAD on this system – this can be done by opening the Proxy settings from the browser and disabling the “Automatically detect settings” option. This can also be done by GPO via registry settings.
- Integrate Websense with EventTracker to trace the domain names for the connected IP addresses.
- WPAD should be disabled across the environment. If the systems are configured to use PAC files, the configuration should be added manually in the Proxy settings.
- DNS servers should not be resolving domains with “wpad”, to external IP addresses. Web traffic with /wpad.dat in its FQDN should be blocked at the proxy level.