Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
MarekF
L0 Member

Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

Hello,

 

Have anyone else noticed a very large flood of triggered 38716 threat warnings comming from Amazon CDN? That is just a very short fragment:

 

2018-02-26 13:301801032072THREATvulnerability2018-02-26 13:3052.222.174.180192.168.2.199Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:301801032072THREATvulnerability2018-02-26 13:3052.222.174.105192.168.2.177Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:291801032072THREATvulnerability2018-02-26 13:2952.222.174.80192.168.35.110Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:291801032072THREATvulnerability2018-02-26 13:2952.222.174.136192.168.2.171Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:291801032072THREATvulnerability2018-02-26 13:2952.222.174.105192.168.1.202Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:281801032072THREATvulnerability2018-02-26 13:2852.222.174.185192.168.2.177Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:271801032072THREATvulnerability2018-02-26 13:2752.222.174.157192.168.2.177Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:261801032072THREATvulnerability2018-02-26 13:2652.222.174.157192.168.2.177Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:111801032072THREATvulnerability2018-02-26 13:1152.85.184.184192.168.2.155Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:111801032072THREATvulnerability2018-02-26 13:1152.85.184.4192.168.2.46Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:111801032072THREATvulnerability2018-02-26 13:1152.85.184.4192.168.2.52Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 13:101801032072THREATvulnerability2018-02-26 13:1052.85.184.246192.168.2.52Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:581801032072THREATvulnerability2018-02-26 12:5852.85.184.148192.168.2.155Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:581801032072THREATvulnerability2018-02-26 12:5852.85.184.246192.168.2.117Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:581801032072THREATvulnerability2018-02-26 12:5852.85.184.184192.168.1.192Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 12:581801032072THREATvulnerability2018-02-26 12:5852.85.184.148192.168.2.96

Microsoft Windows library loading elevation of privilege vulnerability(38716)

 

 

2018-02-26 08:561801032072THREATvulnerability2018-02-26 08:5613.32.145.109192.168.2.206Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:551801032072THREATvulnerability2018-02-26 08:5513.32.145.214192.168.2.171Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:551801032072THREATvulnerability2018-02-26 08:5513.32.145.178192.168.1.123Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:551801032072THREATvulnerability2018-02-26 08:5513.32.145.208192.168.1.105Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:551801032072THREATvulnerability2018-02-26 08:5513.32.145.98192.168.1.65Microsoft Windows library loading elevation of privilege vulnerability(38716)
2018-02-26 08:551801032072THREATvulnerability2018-02-26 08:5513.32.145.67192.168.1.154Microsoft Windows library loading elevation of privilege vulnerability(38716)

 

I can't figure out what's causing it. Any idea? Thanks in advance. All the best!

upelister
L2 Linker

Hello,

 

Maybe attackers identifed a vulnerability on your services in past and trying to access your servers.

To be on the safe side checking servers, applications against any kind of vulnerability specially this one should be fine.

I recommend;

  • If applications are not required to acces from open world, limiting allowed traffic for specific Geo Locations greatly reduce attack surface and attack possibilites.
  • Applying zone protection profiles can reduce scanning risks.
  • Using, Vulnerability Protection, Spyware and Anti-Virus profile in strict state for the rules.
  • Within great care all vulnerability protection signatures can be enabled.
  • Also auto tagging feature can be used to block all or block for a period of time. attacker ip addreses.
    • Vulnerability Protection> Vulnerability protection profile> Vulnerability Protection Rule> Action> Block-ip as source and how much time (Max is 1hr) this will block source ip address for one hour in hardware level
    • With using DAG feature you can block attacker for a long time.

I rec

UP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!