topic Re: Secshow.net in Cortex XDR Discussions

Secshow.net

ade.reza — Sun, 22 Oct 2023 04:18:06 GMT

Hi All,

can you help for information i need

attach the picture.

what are the meaning thread id tunneling:secshow.net ?

thanks

Re: Secshow.net

amjadkhan — Mon, 23 Oct 2023 05:54:40 GMT

Hello All,

I am getting the same threat log with Threat ID tunneling: secshow.net. and continuously sinkhole the traffic. If anyone can help identifying what is that.

Thanks

Re: Secshow.net

JayGolf — Wed, 25 Oct 2023 06:58:53 GMT

Hi @ade.reza , @amjadkhan ,

Can you shared a screenshot of the detailed log view?

Re: Secshow.net

Faraculla_azizli — Tue, 28 Nov 2023 07:44:31 GMT

Hello all,

I have the same problem, any updates ?

Re: Secshow.net

jasonwald — Tue, 28 Nov 2023 14:49:41 GMT

Same problem here also. The other strange part is, that they typically occur from one of my external IP's going to another of my external IP's.

   Domain Name: SECSHOW.NET
   Registry Domain ID: 2793806009_DOMAIN_NET-VRSN
   Registrar WHOIS Server: grs-whois.hichina.com
   Registrar URL: http://wanwang.aliyun.com
   Updated Date: 2023-06-27T02:10:51Z
   Creation Date: 2023-06-27T02:07:57Z
   Registry Expiry Date: 2024-06-27T02:07:57Z
   Registrar: Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn)
   Registrar IANA ID: 1599
   Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
   Registrar Abuse Contact Phone: +86.95187
   Domain Status: ok https://icann.org/epp#ok
   Name Server: DNS23.HICHINA.COM
   Name Server: DNS24.HICHINA.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-11-28T14:47:52Z <<<

Re: Secshow.net

Faraculla_azizli — Wed, 29 Nov 2023 05:47:45 GMT

Unfortunately, in my case, local host is behind NAT, so that I cannot see either Source User or machine IP or MAC.

Re: Secshow.net

TylerMuch — Wed, 13 Dec 2023 17:36:23 GMT

secshow.net and secshow.online DNS traffic happening for us too, public IP to Public IP. The URLs not matching with typical syntax for DNS tunnelling so I don't think that's what's happening. One domain owned by alibaba.

Ever since the upgrade in October to 10.1.11 this has been happening - did not see any patch notes about this or DNS. Many changes though in this release.

Upgrading to 10.2.7 soon and wondering if this will fix it.

@JayGolf - if palo has any updates or communications for their customers about this it would be great. Seems like a widespread issue that hasn't been communicated. Given that this is setting off security alerts some sort of note would be great that Palo is at least aware if this is a bug and is working on a fix.

Re: Secshow.net

jasonwald — Wed, 13 Dec 2023 22:23:37 GMT

Unfortunately 10.2.7 does not fix this. It is still going strong on my 450's with 10.2.7

Re: Secshow.net

Andreikin — Sat, 20 Jan 2024 09:31:04 GMT

Hi, @jasonwald and @JayGolf we are having similar looking issue. Is there any progress finding out where such traffic is coming from?

Re: Secshow.net

antispoof — Sun, 21 Jan 2024 00:07:06 GMT

I'm not a Palo Alto user, but I've been receiving this traffic for several months. It appears to be someone spoofing an adjacent source address while making DNS queries to every IPv4 address, and checking which IPs end up forwarding the query to a recursive resolver. Presumably the goal is to find open resolvers for DNS amplification attacks or similar. The hex string in the secshow.net DNS name corresponds with the IP address being spoofed, and I've been messing with their results by making DNS queries for random IPs whenever the spoofer is active. It appears to be working, as they've ramped up the frequency of scans, and made some modifications to the hostname format. Hopefully they'll give up soon.

I haven't received any traffic for secshow.online, interestingly.

Re: Secshow.net

jasonwald — Thu, 28 Mar 2024 13:30:40 GMT

This seems to be going strong again within the last few days. Super annoying. Would love to get some more info on this.

threatid: Tunneling:secshow.net(109001001)

Re: Secshow.net

antispoof — Thu, 28 Mar 2024 20:19:41 GMT

I can confirm that it seems to be back. In addition to secshow.net, there's also now a "savme.xyz" producing the same type of traffic. Someone did a write-up on it here: https://dataplane.substack.com/p/destination-adjacent-source-address

Re: Secshow.net

jasonwald — Thu, 28 Mar 2024 20:29:04 GMT

Thank you for sharing this.