Endpoint Protection

 View Only
Expand all | Collapse all

[SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

  • 1.  [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 10, 2020 04:31 PM
    Edited by Torb Sep 10, 2020 05:09 PM

    We are seeing multiple "[SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked" attacks against multiple Domain Controllers on kerberos UDP 88 against LSASS.exe, coming from a VMware Host.

    They started a minute after the latest IPS signature was applied.

    Is anyone else seeing these detections? Looks like a false positive, but would like confirmation.



  • 2.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 10, 2020 05:09 PM
    We have started to see this in our environment also.

    ------------------------------
    Sr. Systems Administrator
    ICU Medical
    ------------------------------



  • 3.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Broadcom Employee
    Posted Sep 10, 2020 07:39 PM
    Generally speaking, for an IPS alert that is suspected to be false positive we would need a packet capture of the event with SEP disabled so we can see the traffic.

    Then a case opened and the packet capture submitted to symsubmit 





  • 4.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 10, 2020 08:23 PM
    Just noting that we're seeing this issue too.  I doubt I'll be able to provide the PCAP, however.


  • 5.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked
    Best Answer

    Broadcom Employee
    Posted Sep 10, 2020 08:55 PM
    Out of an abundance of caution we have rolled back this content. You can run Liveupdate now. Fixed IPS content will be 9/10/20 Rev 62 and newer. 






  • 6.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 11, 2020 10:20 AM
    the Rev 62 update fixed the issue.  I know it has only been a few hours, but can we expect an explanation to be posted in this thread when the analysis is complete?


  • 7.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:18 AM

    Dear,

        

    Can you please give the R62 updates,  I cannot download it.

    thnaks,




  • 8.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:18 AM
    Revision 62 has seemed to fix the issue


  • 9.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:16 AM
    Another site here. Same issue. 

    Primary and secondary domain controllers both with the exact same message immediately after a definition update.


  • 10.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:17 AM
    We are seeing the same activity on multiple domain controllers and user workstations. Will be opening a ticket with Symantec.


  • 11.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:19 AM
    I just heard several reports of it starting in our environment, too.

    ------------------------------
    dakkota integrated systems
    ------------------------------



  • 12.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 10, 2020 11:49 PM
    I saw the same this morning also!
    Unbelievable work from Broadcom! 
    Blocked : C:\WINDOWS\SYSTEM32\LSASS.EXE 
    I had to allow this signature [SID: 31485] to fix the issue in the environment.
    P2 raised for explanation!


  • 13.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 11, 2020 02:03 AM
    Yes we got some authentication on our AD.  Fixed IPS content will be 9/10/20 Rev 62 and newer.

    ------------------------------
    Pekin Insurance
    ------------------------------



  • 14.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Broadcom Employee
    Posted Sep 11, 2020 10:38 AM
    Good Morning All,

    If the issue was resolved by the 9/10/20 rev 62 then this was a False Positive with the 9/10/20 Rev 61 release.  For more information I would advise on opening a case with support.

    ------------------------------
    John Owens
    Principal Product Support
    Symantec
    United States
    ------------------------------



  • 15.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:18 AM
    Dear Guys,

        Have you resloved this issue, we met the same issue. 
         Please share with us,

    thanks,


  • 16.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:19 AM
    John,

    Thank you!  We began seeing this on workstations, validated the IPS rev 62 and are in the process of identifying affected workstations, updating the client, ensuring they get to rev 200910062 and testing that his resolves the issue.

    Thanks again,
    Doug Wood


  • 17.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:29 AM
    Seeing the same thing.  Blocking lsass.exe between our domain controllers and servers/end user computers.  Has to be a bad signature.


  • 18.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:30 AM
    Yes! This is happening at my business as well. Only getting alerts on there endpoints with source coming from our Domain Controllers


  • 19.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:30 AM
    Yes, same thing happening at my business. We are hyper-v not VMware.


  • 20.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:30 AM
    Yes, your network is lighting up with that message.


  • 21.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:30 AM
    We also just started seeing this.


  • 22.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:33 AM
    We are also seeing these alerts and users are reporting pop-ups for Outbound traffic and Norton power eraser to 'fix' the issue...  hoping this is indeed a false positive.


  • 23.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:34 AM
    We are seeing this as well


  • 24.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 04:35 AM
    Yes we are seeing these pop up in our environment. In our case it seems to have to do with clients reaching out to Domain Controllers on Port 88, which is Kerberos. So that's expected traffic. 

    It could be something is trying to abuse Kerberos, like a real trojan on these clients, but we've seen no actual evidence of that, and trying to uncover Broadmantec's documentation about this particular attack has proven fruitless.


  • 25.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:15 AM
    yes, we are seeing a lot of these alerts.  I've opened a support ticket.


  • 26.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:15 AM
    Same issue here.  Started around 3p-4p EST.  Most of the endpoints had IPS event for LSASS.exe communicating with the Domain Controllers.  We back-reved the IPS signature to the 9/9/20 release and it cleared things up.  The 9/10/20 IPS signature ended up creating over 36,000 attack events in our enterprise.  We opened a support ticket with Symantec and have not heard anything from them.  Unacceptable for there not to be a published support bulletin on this by now.


  • 27.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:15 AM
    We have also started to see this alert but only just this morning


  • 28.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:17 AM
    Seeing this issue on our end as well, leaving our client unable to complete a lot of their work due to needing to connect to servers.


  • 29.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:17 AM
    We are seeing this exact alert as well for a few different clients still on SEPC.  IPS pattern 9.0.2.1609 Definitions Set version: 20200910.061


  • 30.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Broadcom Employee
    Posted Sep 14, 2020 05:17 AM
    We have rolled back IPS signatures to 09/10/20 rev 62 as we investigate this. Run LiveUpdate now to get the definitions mentioned, these should resolve the detection for you.


  • 31.  RE: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked

    Posted Sep 14, 2020 05:19 AM
    The signature [SID: 31485] Infected system: Trojan.Backdoor Activity 410 no longer appears on the IPS.
    I think it was really a false positive and a Broadcom removed that signature on IPS.

    ------------------------------
    DSR9 Tecnologia da Informacao LTDA
    ------------------------------