Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

MarekF — Mon, 26 Feb 2018 12:43:16 GMT

Hello,

Have anyone else noticed a very large flood of triggered 38716 threat warnings comming from Amazon CDN? That is just a very short fragment:

2018-02-26 13:30	1801032072	THREAT	vulnerability	2018-02-26 13:30	52.222.174.180	192.168.2.199	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:30	1801032072	THREAT	vulnerability	2018-02-26 13:30	52.222.174.105	192.168.2.177	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:29	1801032072	THREAT	vulnerability	2018-02-26 13:29	52.222.174.80	192.168.35.110	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:29	1801032072	THREAT	vulnerability	2018-02-26 13:29	52.222.174.136	192.168.2.171	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:29	1801032072	THREAT	vulnerability	2018-02-26 13:29	52.222.174.105	192.168.1.202	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:28	1801032072	THREAT	vulnerability	2018-02-26 13:28	52.222.174.185	192.168.2.177	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:27	1801032072	THREAT	vulnerability	2018-02-26 13:27	52.222.174.157	192.168.2.177	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:26	1801032072	THREAT	vulnerability	2018-02-26 13:26	52.222.174.157	192.168.2.177	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:11	1801032072	THREAT	vulnerability	2018-02-26 13:11	52.85.184.184	192.168.2.155	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:11	1801032072	THREAT	vulnerability	2018-02-26 13:11	52.85.184.4	192.168.2.46	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:11	1801032072	THREAT	vulnerability	2018-02-26 13:11	52.85.184.4	192.168.2.52	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:10	1801032072	THREAT	vulnerability	2018-02-26 13:10	52.85.184.246	192.168.2.52	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:58	1801032072	THREAT	vulnerability	2018-02-26 12:58	52.85.184.148	192.168.2.155	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:58	1801032072	THREAT	vulnerability	2018-02-26 12:58	52.85.184.246	192.168.2.117	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:58	1801032072	THREAT	vulnerability	2018-02-26 12:58	52.85.184.184	192.168.1.192	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:58	1801032072	THREAT	vulnerability	2018-02-26 12:58	52.85.184.148	192.168.2.96	Microsoft Windows library loading elevation of privilege vulnerability(38716)

2018-02-26 08:56	1801032072	THREAT	vulnerability	2018-02-26 08:56	13.32.145.109	192.168.2.206	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:55	1801032072	THREAT	vulnerability	2018-02-26 08:55	13.32.145.214	192.168.2.171	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:55	1801032072	THREAT	vulnerability	2018-02-26 08:55	13.32.145.178	192.168.1.123	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:55	1801032072	THREAT	vulnerability	2018-02-26 08:55	13.32.145.208	192.168.1.105	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:55	1801032072	THREAT	vulnerability	2018-02-26 08:55	13.32.145.98	192.168.1.65	Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:55	1801032072	THREAT	vulnerability	2018-02-26 08:55	13.32.145.67	192.168.1.154	Microsoft Windows library loading elevation of privilege vulnerability(38716)

I can't figure out what's causing it. Any idea? Thanks in advance. All the best!

Re: Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

upelister — Sun, 31 Jan 2021 23:35:26 GMT

Hello,

Maybe attackers identifed a vulnerability on your services in past and trying to access your servers.

To be on the safe side checking servers, applications against any kind of vulnerability specially this one should be fine.

I recommend;

If applications are not required to acces from open world, limiting allowed traffic for specific Geo Locations greatly reduce attack surface and attack possibilites.
Applying zone protection profiles can reduce scanning risks.
Using, Vulnerability Protection, Spyware and Anti-Virus profile in strict state for the rules.
Within great care all vulnerability protection signatures can be enabled.
Also auto tagging feature can be used to block all or block for a period of time. attacker ip addreses.
- Vulnerability Protection> Vulnerability protection profile> Vulnerability Protection Rule> Action> Block-ip as source and how much time (Max is 1hr) this will block source ip address for one hour in hardware level
- With using DAG feature you can block attacker for a long time.

I rec

topic Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege) in Advanced Threat Prevention Discussions

Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

Re: Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)