https://live.paloaltonetworks.com/t5/general-topics/cutwail-pushdo-smtp-attack-vulnerability-detection/m-p/67533#M39577 <P>The best way to communicate on these types of issues with Palo Alto is by opening an official support ticket.</P> <P>&nbsp;</P> <P>Support will first be able to determine what current signatures are aimed at this vulnerabiliity. &nbsp;This will be fastest if you have the CVE handy.</P> <P>&nbsp;</P> <P>Assuming there is an approach against the CVE, they will be able to determine if you are correctly configured so that the traffic is reviewed against the existing signature.</P> <P>&nbsp;</P> <P>Should there not be anything in place now, they can also be your conduit to submit requests for enhancements to the correct team.</P> Sun, 01 Nov 2015 11:54:03 GMT pulukas 2015-11-01T11:54:03Z https://live.paloaltonetworks.com/t5/general-topics/cutwail-pushdo-smtp-attack-vulnerability-detection/m-p/67531#M39575 <P>I've recently set up a new PA-100-VM and been closely analysing it along with all of the traffic that goes through it. &nbsp;It is running 7.0.3 along with the latest updates to all definition files (updated nightly).</P> <P>&nbsp;</P> <P>In the process of doing this I've determined that the PA is not picking up on a fairly common&nbsp;SMTP attack - that being the Cutwail SMTP auth brute force. &nbsp;There is a bit more info about this here:</P> <P>&nbsp;</P> <P>&nbsp;<A href="https://blog.avast.com/2013/06/25/15507/" target="_blank">https://blog.avast.com/2013/06/25/15507/</A></P> <P>&nbsp;<A href="https://serverfault.com/questions/667322/email-server-attack-from-telnet" target="_blank">https://serverfault.com/questions/667322/email-server-attack-from-telnet</A></P> <P>&nbsp;</P> <P>A machine infected with this worm will attempt to brute force SMTP auth other random machines on the Internet.</P> <P>&nbsp;</P> <P>The good thing is that all&nbsp;of the attempts involve a very characteristic SMTP EHLO of ylmf-pc. &nbsp;So they are patently&nbsp;obvious to identify.</P> <P>&nbsp;</P> <P>I've written a custom malware signature that detects this and IP blocks the offending hosts for the maximum 3600s (I would block&nbsp;for longer if this was possible). &nbsp;This works well. &nbsp;Lots of hits and no brute forcing anymore <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>The questions I have are:</P> <P>&nbsp;</P> <P>- Is there a way to submit this to Palo Alto so that this attack is picked up by the threat signatures&nbsp;without me having to write a custom vulnerability sig? &nbsp;I can open a case but I would have thought there were easier ways than this to have this information fed into the system.</P> <P>&nbsp;</P> <P>- Is there a reason this hasn't been already added? &nbsp;This is a very common vulnerability by all accounts. &nbsp;I haven't tried but I imagine the PA will pick up on the trojan exe's that this worm uses to transmit itself, but as a non-infected user I also want protection from other remote machines who have been exploited and I would expect the appliance would be protecting me from known brute force attacks.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 01 Nov 2015 00:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/cutwail-pushdo-smtp-attack-vulnerability-detection/m-p/67531#M39575 ReubenFarrelly 2015-11-01T00:23:39Z https://live.paloaltonetworks.com/t5/general-topics/cutwail-pushdo-smtp-attack-vulnerability-detection/m-p/67533#M39577 <P>The best way to communicate on these types of issues with Palo Alto is by opening an official support ticket.</P> <P>&nbsp;</P> <P>Support will first be able to determine what current signatures are aimed at this vulnerabiliity. &nbsp;This will be fastest if you have the CVE handy.</P> <P>&nbsp;</P> <P>Assuming there is an approach against the CVE, they will be able to determine if you are correctly configured so that the traffic is reviewed against the existing signature.</P> <P>&nbsp;</P> <P>Should there not be anything in place now, they can also be your conduit to submit requests for enhancements to the correct team.</P> Sun, 01 Nov 2015 11:54:03 GMT https://live.paloaltonetworks.com/t5/general-topics/cutwail-pushdo-smtp-attack-vulnerability-detection/m-p/67533#M39577 pulukas 2015-11-01T11:54:03Z