06-06-2022 02:14 PM
Threat ID 92632 was added late 6/3 for the new Atlassian 0-day exploit. All morning we have been seeing false positives on the new signature. Anyone else seeing the same?
Seems to be alerting to the inclusion of javascript ad code across multiple websites, sourced from:
https://pdc.bidswitch.net/max_mrc_vimp/<long-alphanum-string>
https://pdc.bidswitch.net/max_mimp/<long-alphanum-string>
https://pdc.bidswitch.net/max_groupm_vimp/<long-alphanum-string>
06-06-2022 09:46 PM
Can confirm, we are seeing at least one of the same domains showing up with the same false positives.
06-15-2022 02:59 PM
Seeing the same from that domain.
07-22-2022 02:38 PM
We are seeing the same false positive.
I opened a ticket the TAC and they are requesting a full packet capture. I'm hesitant to do this on prisma gateways because it's unclear how to reproduce the traffic AND the destination IP changes so the packet capture could be running and running.
We are using the SaaS version of Atlassian, and according to the Security Advisory (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) :
Atlassian Cloud sites are protected
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
Our investigations have not found any evidence of exploitation of Atlassian Cloud.
So I'm tempted to make a signature exception in the Antivirus Profile.
Other ideas?
07-22-2022 03:02 PM
Are you receiving the alert on connections to your Atlassian instance? Or on connections from your users to a random third party website? For my false alert (and others I believe), there is no Atlassian server involved at all.
From the threat alert there should be a packet capture. If you export that capture and open it in Wireshark you can reassemble the packets into a formated output: select a packet in the capture and select "Follow -> tcp stream". A new window will pop up of the assembled packet like:
GET /max_groupm_vimp/WfcV4AtmWp-XiYB2f6ONSJuCKVlVq
AawN1cry1La8bIQ_hGvGVv9Gvscuzgnjh0c6FKolAawN1cry1La8bIQ_hGvGVv9Gv
...
Host: pdc.bidswitch.net
...
Referer: https://www.cnn.com/
...
GET - the URL path
Host - the host server FQDN that was connected to
Referer - the original server FQDN of the page that the reference to the URL was in (if it was an included object)
You should be able to identify the destination and recreate the alert by copying the host and URL into a separate browser window and downloading again.
07-25-2022 02:54 PM
Just like you, I'm receiving these alerts on traffic NOT going to Atlassian instances.
Looking at the PCAP, I see:
GET /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....
...
Host: pdc.bidswitch.net
...
Referer: https://www.usatoday.com/
07-25-2022 03:10 PM
Yep, so the alert is hitting on the content included from pbc.bidswitch.net on usatoday.com. Bidswitch is an ad company. You can probably replicate the alert by calling the URL
https://pdc.bidswitch.net /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....
directly in your browser (you might have to play around some HTTP variables). Once you can replicate the alert from calling the URL directly (instead of being buried in usatoday.com's code), its easy to do a packet capture of just that request.
07-26-2022 05:02 PM
Right on! Thanks so much @Adrian_Jensen
I feel like this should be the responsibility of TAC engineering to identify / test their patterns, but if it can help others, I'll give it a go. 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
