urlscan.io logo urlscan.io
SecurityTrails logo

community.spiceworks.com Open in urlscan Pro
45.60.13.212  Public Scan

Back to summary
Submitted URL: http://community.spiceworks.com/topic/2328894-backdoor-cobalt-strike-beacon
Effective URL: https://community.spiceworks.com/topic/2328894-backdoor-cobalt-strike-beacon
Submission: On April 13 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form>
  <i class="1681411389747 mag-glass"></i>
  <input class="1681411389747 search-input" autocomplete="off" placeholder="Search Spiceworks">
  <i class="clean-icon"></i>
  <div class="1681411389747 trending-topics"></div>
  <div class="1681411389747 search-box-results"></div>
</form>

Text Content

Home
 * News & Insights
   * News & Insights Home
   * Innovation
   * IT Careers & Skills
   * Cloud
   * Cyber Security
   * Future of Work
   * All Categories
   * Marketing
   * HR
   * Finance
 * Community
   * Ask question
   * Community Home
   * Spiceworks Originals
   * Cloud
   * Collaboration
   * Networking
   * Water Cooler
   * Windows
   * All forums
   * How-Tos
   * Scripts
   * Vendors
   * Meetups
 * Reviews
 * Online Events


Login Join
Login Join


campaign close

Check out Webinar: AI, ChatGPT and Cybersecurity: Benefits and Risks. Opens a
new window [Live Now]

 * Home
 * Security
 * General IT Security


BACKDOOR.COBALT.STRIKE.BEACON

Posted by ROMTech255 on Aug 17th, 2021 at 1:42 PM
Needs answer
General IT Security

Hello Spiceworks,

Was wondering if anyone had come across this type of alert 
"Backdoor.Cobalt.Strike.Beacon" my firewall had alerted me that the srcip came
from my Email server/Backup server. What I have started to do is, run an
Antivirus Scan, see what its picking up remove whatever it's picking up and
reboot the server. Below is the actual alert I had received: 



Message meets Alert condition

The following intrusion was observed: "Backdoor.Cobalt.Strike.Beacon".

date=2021-08-17 time=09:24:47 devname=FG90D devid=FGT90D3Z15003317
logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert"
vd="root" eventtime=1629206686 severity="high" srcip=xx.xx.xx.xx
srccountry="Reserved" dstip=45.61.136.58 srcintf="internal" srcintfrole="lan"
dstintf="wan1" dstintfrole="wan" sessionid=63425489 action="dropped" proto=6
service="HTTP" policyid=1 attack="Backdoor.Cobalt.Strike.Beacon" srcport=56352
dstport=443 hostname="45.61.136.58" direction="outgoing" attackid=39078
profile="default" ref="http://www.fortinet.com/ids/VID39078 Opens a new window"
incidentserialno=79082017 msg="backdoor: Backdoor.Cobalt.Strike.Beacon,"
crscore=30 crlevel="high"


Spice (32) Reply (8)
flagReport
ROMTech255
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.
poblano

AI, CHATGPT AND CYBERSECURITY: BENEFITS AND RISKS.

Apr 13 @ 6:00 PM Webinar Webinar: KnowBe4 - AI, ChatGPT and Cybersecurity:
Benefits and Risks. Event Details Opens a new window View all events



8 REPLIES

 * Robert5205
   pure capsaicin
   Aug 17th, 2021 at 1:45 PM
   
   This frustrates me as well. I get all sorts of alerts from my AV with scary
   sounding names. I google them to find out what they're about and mostly find
   nothing.
   
   I'm interested to see what you turn up on this and from where.
   
   Spice (4) flagReport
   Was this post helpful? thumb_up thumb_down
 * OP ROMTech255
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   poblano
   Aug 17th, 2021 at 1:49 PM
   Hi Rob,
   Thank you for your response sir. I too am having a hard time researching on
   what else to do. All though it does provide me a link to the Fortigate
   Cookbook, vulnerabilities encyclopedia it doesn't really explain much, all it
   stated to block the srcip from the firewall, but I cannot do. I'll see what I
   can find out. 
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down
 * Jeff4129
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   anaheim
   Aug 17th, 2021 at 2:15 PM
   
   Your FortiGate has detected suspicious outgoing traffic going from "internal"
   to "wan1".
   
   This sounds like FortiGuard botnet protection has kicked in and blocked the
   traffic, but I could be wrong.
   
   Edit: I followed the link in the firewall log entry you posted and it is an
   IPS rule that has blocked the traffic. I've been using Fortinet products for
   a few years and haven't had that happen with one of my servers before. I
   would check this closely.
   
   The destination IP has no hostname associated with it. Here's the WHOIS info
   for that subnet:
   
   # start
   
   NetRange:     45.61.136.0 - 45.61.136.255
   CIDR:         45.61.136.0/24
   NetName:       BLNETWORKS-01
   NetHandle:     NET-45-61-136-0-1
   Parent:       PONYNET-15 (NET-45-61-128-0-1)
   NetType:       Reallocated
   OriginAS:
   Organization: BL Networks (BNL-77)
   RegDate:       2019-11-08
   Updated:       2019-11-08
   Ref:           https://rdap.arin.net/registry/ip/45.61.136.0 Opens a new
   window
   
   
   OrgName:       BL Networks
   OrgId:         BNL-77
   Address:       30 N Gould St
   Address:       Ste R
   City:         Sheridan
   StateProv:     WY
   PostalCode:   82801
   Country:       US
   RegDate:       2019-11-01
   Updated:       2020-03-24
   Ref:           https://rdap.arin.net/registry/entity/BNL-77 Opens a new
   window
   
   
   OrgTechHandle: ADMIN7234-ARIN
   OrgTechName: Admin
   OrgTechPhone: +1-307-317-1097
   OrgTechEmail: admin@blnwx.com
   OrgTechRef:   https://rdap.arin.net/registry/entity/ADMIN7234-ARIN Opens a
   new window
   
   OrgAbuseHandle: ADMIN7234-ARIN
   OrgAbuseName: Admin
   OrgAbusePhone: +1-307-317-1097
   OrgAbuseEmail: admin@blnwx.com
   OrgAbuseRef:   https://rdap.arin.net/registry/entity/ADMIN7234-ARIN Opens a
   new window
   
   # end Opens a new window
   
   
   Spice (2) flagReport
   Was this post helpful? thumb_up thumb_down
 * OP ROMTech255
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   poblano
   Aug 17th, 2021 at 2:37 PM
   Hi Jeff4129 thank you for your response! 
    * local_offer Tagged Items
    * Jeff4129
   
   Spice (2) flagReport
   Was this post helpful? thumb_up thumb_down
 * Jeff4129
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   anaheim
   Aug 17th, 2021 at 2:50 PM
   
   This definitely looks shady. I ran a scan on the IP address on urlscan.io and
   it came back with some interesting history... looks like it's been used to
   spoof Verizon and ATT websites in the past, looking at the history.
   
   https://urlscan.io/result/b3efc554-4606-4308-a6a2-ab81eb03bc09/related/ Opens
   a new window
   
   
   I would really be scrutinizing this server. AV scans, even running a
   Wireshark capture of its traffic to see what's trying to get out of your
   network.
   
   Spice (2) flagReport
   3 found this helpful thumb_up thumb_down
 * On The Off Chance
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   poblano
   Aug 18th, 2021 at 8:46 AM
   
   Yeah I mean Cobalt Strike is a red-team pentesting tool (licence 3500 USD a
   pop per year) but there are cracked versions on the dark web, being actively
   used by malactors. It's extremely versatile and can serve multiple purposes.
   
   Being email server maybe that's how the signature got onto your system? I'm
   not sure if it's wise to have an Internet-facing server serving as a backup
   server as well but (since I don't know too much on that particular topic) I
   assume you've got an infected file sent as attachment in some email. Maybe
   try to find out which email message exactly and you'll probably get more data
   off the header.
   
   In any case, please do keep us in the loop what you find after the AV scans
   (obv w/out revealing sensitive data re your systems).
   
   edit: I also assume you're running Exchange (which has had many reports
   recently of significant flaws) which I strongly advise against but only you
   know what is your situation. We use Gmail and can make use of its Admin
   console. I haven't really used Exchange so I can't give advice on how to
   trace and/or identify stuff on there.
   
   Also, eventually you may contact the IP range holder and let them know (if
   they don't already lol) their service is being used for malicious purposes.
   
   Spice (3) flagReport
   1 found this helpful thumb_up thumb_down
 * Bryce7347
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   jalapeno
   Aug 19th, 2021 at 4:00 AM
   
   If a beacon is on your systems and trying to transmit its presence back then
   that can't be good, lets hope it is a false positive.
   
   With regard to an anti-virus scan, in a cobalt strike beacon operators guide
   it has this to say:
   
   A Note about Anti-virus.  It’s a common misconception that anti-virus catches
   the Metasploit Framework’s payloads. This is not true. Anti-virus products
   catch artifacts that try to stage a payload. It doesn’t matter if this
   payload is Meterpreter or Beacon. Some artifacts (MS Office Macro attack,
   Cobalt Strike’s Java Attacks) get past some anti-virus products. Others
   (Generated EXE) do not. When you generate an artifact to deliver Beacon, you
   will need to account for anti-virus. Since Beacon and Meterpreter use the
   same stagers, techniques that get Meterpreter past anti-virus will get Beacon
   past anti-virus
   too. https://blog.cobaltstrike.com/2013/09/12/beacon-an-operators-guide/
   Opens a new window
   
   I find interesting reading via https://otx.alienvault.com/ Opens a new
   window - in the past month they have had 4 or more 'pulses' all to do with
   Cobalt Strike, you might like to take a browse.  For instance:  cobalt strike
   indicators q3 2021 Opens a new window or IcedID and Cobalt Strike vs
   Antivirus Opens a new window.  The 'reference' links have interesting reads.
   
   I think the machine may need a thorough inspection, maybe from an independent
   OS booted to scan it...
          (however, I am not a security expert)
   
   
   
   
   Spice (2) flagReport
   Was this post helpful? thumb_up thumb_down
 * L0lo95
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   poblano
   Aug 19th, 2021 at 1:59 PM
   
   you should block that address on your firewall. A virus total scan shows that
   2 vendors have flagged that address as malicious. It is also showing as some
   indicators of compromise. It is also linked to a malicious file
   "filemercadona.jnqrvwxyzBDDE.vbs"
   
   I would recommend you blacklist that address and start an investigation.
   
   
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down

lock

This topic has been locked by an administrator and is no longer open for
commenting.

To continue this discussion, please ask a new question.




READ THESE NEXT...


 * SNAP! -- ROLLERBLADING ROBOT, CYBORG COCKROACHES, AI PI, 20-FOOT DONKEY KONG
   
   Spiceworks Originals
   
   Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: April
   13, 2000: Metallica Sues Napster (Read more HERE.) Bonus Flashback: April 13,
   1970: Oxygen Tank on Apollo 13 Explodes (Read more HERE.) You need to hear
   this...

 * 


 * SPARK! PRO SERIES - 13TH APRIL 2023
   
   Spiceworks Originals
   
   Today in History: Fans toss candy bars onto baseball field during MLB gameOn
   April 13, 1978, opening day at Yankee Stadium, the New York Yankees give away
   thousands of Reggie! bars to fans, who naturally toss them onto the field
   after star outfielder ...


 * REMOTE WORKER CONTENT FILTERING
   
   Security
   
   GreetingsI am in the process of looking for a product to help protect and
   monitor employee network traffic. My biggest hurdle is that 75% of my
   employees all work from home. Does anyone have any suggestions for products
   that would monitor web traffic and ...


 * SALARY NEGOTIATIONS?
   
   IT & Tech Careers
   
   SpiceHeads,If you get a offer from a company and sign off on it and during
   the onboard process background checks , drug test etc.You get another offer
   for more money can you go back to the 1 st offer of the job you really want
   and ask for more or how woul...


 * IT ADVENTURES: EPISODE THREE -- DANGER
   
   Holidays
   
   Tell a Story day is coming up on April 27th, and were working on an
   interactive story for it. Here's the idea. Below, there will be a story
   prompt which is sort of like a Choose Your Own Adventure, except that the
   rest of it isn't written. ...

 * About
 * Contact
 * Support
 * Press / Media
 * Careers
 * SpiceWorld
 * Blog
 * * 
   * 
   * 
   * 

 * Sitemap
 * Privacy Policy
 * Terms of Use
 * Guidelines
 * Accessibility Statement
 * Do Not Sell My Personal Information
 * © Copyright 2006 - 2023 Spiceworks Inc.




WE CARE ABOUT YOUR PRIVACY

If you consent, we and our partners can store and access personal information on
your device to provide a more personalised browsing experience. This is
accomplished through processing personal data collected from browsing data
stored in cookies. You can provide/withdraw consent and object to processing
based on a legitimate interest at any time by clicking on the ‘Manage
Preferences’ button.Our Privacy Policy


WE AND OUR PARTNERS PROCESS DATA TO:

Store and/or access information on a device. Personalised ads and content, ad
and content measurement, audience insights and product development. Our Partners

Reject All I Accept
More Options