10-26-2021 11:04 AM
Beginning this morning we are seeing lots of apparent false positives for threat ID: 91836 - Cisco HyperFlex HX RCE, which was added to the threat database last night. The destination server is in Wells Fargo IP space and we have determined that this is users trying to log into Wells Fargo online banking at:
https://connect.secure.wellsfargo.com/auth/login/present?
This appears to be happening either on redirect of the initial user/pass login POST or a subsequent MFA page, and the users are getting a generic login error response do to the PA threat detection resetting the connection. I do not have a Wells Fargo account to fully test and full packet capture is going to be tricky as these are users' personal accounts.
Is anyone else seeing this threat detection and can confirm the destination, offer additional debugging?
10-27-2021 07:34 PM
It appears that this has been fixed in the App-Threat-8478-7015 release. We were unable to replicate the problem today (prior release -8477-7011 was flagging).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
