CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 3 of 3

Thread: Microsoft Azure acting as C&C?

  1. #1
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Microsoft Azure acting as C&C?

    this morning, a bunch of Antibot Events popped up saying that the Anti-bot Blade prevented Communination with C&C site 13.107.4.52. The protection name is Operator.Trickbot.dh.
    Reverse Lookup shows that 13.107.4.52 is a MicroSoft Azure IP address.

    How big is the probability that we have a false positive here?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,242
    Rep Power
    15

    Default Re: Microsoft Azure acting as C&C?

    Colleagues seen some of this based on protection name

    There was some investigation work done which indicated that likely a false positive.

    Was reported to Check Point and waiting on resolution/confirmation at the moment.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,383
    Rep Power
    15

    Default Re: Microsoft Azure acting as C&C?

    This was a false positive.

    The URL in question was being communicated with by the Trickbot Banking Trojan as part of a connectivity check.
    It was added as a Command and Control site into ThreatCloud.
    Within 5 hours, the URL was revoked.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Microsoft Azure CheckPoint virtual appliance
    By Trevor2sms in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 9
    Last Post: 2016-02-29, 03:21
  2. Azure Documentation
    By mcnallym in forum Installing And Upgrading
    Replies: 5
    Last Post: 2015-03-31, 14:49
  3. Azure vpn
    By larsdemo in forum Check Point Small Appliances
    Replies: 5
    Last Post: 2014-07-25, 09:54
  4. Nokia IP380's both acting as VRRP Master
    By under_score in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 14
    Last Post: 2009-07-20, 12:35
  5. SecureClient/FW acting crazy!
    By Hit-N-Run in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-08-02, 22:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •