community.spiceworks.com
Open in
urlscan Pro
45.60.13.212
Public Scan
Submitted URL: http://community.spiceworks.com/topic/2328894-backdoor-cobalt-strike-beacon
Effective URL: https://community.spiceworks.com/topic/2328894-backdoor-cobalt-strike-beacon
Submission: On April 13 via manual from US — Scanned from DE
Effective URL: https://community.spiceworks.com/topic/2328894-backdoor-cobalt-strike-beacon
Submission: On April 13 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOM<form>
<i class="1681411389747 mag-glass"></i>
<input class="1681411389747 search-input" autocomplete="off" placeholder="Search Spiceworks">
<i class="clean-icon"></i>
<div class="1681411389747 trending-topics"></div>
<div class="1681411389747 search-box-results"></div>
</form>
Text Content
Home * News & Insights * News & Insights Home * Innovation * IT Careers & Skills * Cloud * Cyber Security * Future of Work * All Categories * Marketing * HR * Finance * Community * Ask question * Community Home * Spiceworks Originals * Cloud * Collaboration * Networking * Water Cooler * Windows * All forums * How-Tos * Scripts * Vendors * Meetups * Reviews * Online Events Login Join Login Join campaign close Check out Webinar: AI, ChatGPT and Cybersecurity: Benefits and Risks. Opens a new window [Live Now] * Home * Security * General IT Security BACKDOOR.COBALT.STRIKE.BEACON Posted by ROMTech255 on Aug 17th, 2021 at 1:42 PM Needs answer General IT Security Hello Spiceworks, Was wondering if anyone had come across this type of alert "Backdoor.Cobalt.Strike.Beacon" my firewall had alerted me that the srcip came from my Email server/Backup server. What I have started to do is, run an Antivirus Scan, see what its picking up remove whatever it's picking up and reboot the server. Below is the actual alert I had received: Message meets Alert condition The following intrusion was observed: "Backdoor.Cobalt.Strike.Beacon". date=2021-08-17 time=09:24:47 devname=FG90D devid=FGT90D3Z15003317 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1629206686 severity="high" srcip=xx.xx.xx.xx srccountry="Reserved" dstip=45.61.136.58 srcintf="internal" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=63425489 action="dropped" proto=6 service="HTTP" policyid=1 attack="Backdoor.Cobalt.Strike.Beacon" srcport=56352 dstport=443 hostname="45.61.136.58" direction="outgoing" attackid=39078 profile="default" ref="http://www.fortinet.com/ids/VID39078 Opens a new window" incidentserialno=79082017 msg="backdoor: Backdoor.Cobalt.Strike.Beacon," crscore=30 crlevel="high" Spice (32) Reply (8) flagReport ROMTech255 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. poblano AI, CHATGPT AND CYBERSECURITY: BENEFITS AND RISKS. Apr 13 @ 6:00 PM Webinar Webinar: KnowBe4 - AI, ChatGPT and Cybersecurity: Benefits and Risks. Event Details Opens a new window View all events 8 REPLIES * Robert5205 pure capsaicin Aug 17th, 2021 at 1:45 PM This frustrates me as well. I get all sorts of alerts from my AV with scary sounding names. I google them to find out what they're about and mostly find nothing. I'm interested to see what you turn up on this and from where. Spice (4) flagReport Was this post helpful? thumb_up thumb_down * OP ROMTech255 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. poblano Aug 17th, 2021 at 1:49 PM Hi Rob, Thank you for your response sir. I too am having a hard time researching on what else to do. All though it does provide me a link to the Fortigate Cookbook, vulnerabilities encyclopedia it doesn't really explain much, all it stated to block the srcip from the firewall, but I cannot do. I'll see what I can find out. Spice (1) flagReport Was this post helpful? thumb_up thumb_down * Jeff4129 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. anaheim Aug 17th, 2021 at 2:15 PM Your FortiGate has detected suspicious outgoing traffic going from "internal" to "wan1". This sounds like FortiGuard botnet protection has kicked in and blocked the traffic, but I could be wrong. Edit: I followed the link in the firewall log entry you posted and it is an IPS rule that has blocked the traffic. I've been using Fortinet products for a few years and haven't had that happen with one of my servers before. I would check this closely. The destination IP has no hostname associated with it. Here's the WHOIS info for that subnet: # start NetRange: 45.61.136.0 - 45.61.136.255 CIDR: 45.61.136.0/24 NetName: BLNETWORKS-01 NetHandle: NET-45-61-136-0-1 Parent: PONYNET-15 (NET-45-61-128-0-1) NetType: Reallocated OriginAS: Organization: BL Networks (BNL-77) RegDate: 2019-11-08 Updated: 2019-11-08 Ref: https://rdap.arin.net/registry/ip/45.61.136.0 Opens a new window OrgName: BL Networks OrgId: BNL-77 Address: 30 N Gould St Address: Ste R City: Sheridan StateProv: WY PostalCode: 82801 Country: US RegDate: 2019-11-01 Updated: 2020-03-24 Ref: https://rdap.arin.net/registry/entity/BNL-77 Opens a new window OrgTechHandle: ADMIN7234-ARIN OrgTechName: Admin OrgTechPhone: +1-307-317-1097 OrgTechEmail: admin@blnwx.com OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN7234-ARIN Opens a new window OrgAbuseHandle: ADMIN7234-ARIN OrgAbuseName: Admin OrgAbusePhone: +1-307-317-1097 OrgAbuseEmail: admin@blnwx.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ADMIN7234-ARIN Opens a new window # end Opens a new window Spice (2) flagReport Was this post helpful? thumb_up thumb_down * OP ROMTech255 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. poblano Aug 17th, 2021 at 2:37 PM Hi Jeff4129 thank you for your response! * local_offer Tagged Items * Jeff4129 Spice (2) flagReport Was this post helpful? thumb_up thumb_down * Jeff4129 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. anaheim Aug 17th, 2021 at 2:50 PM This definitely looks shady. I ran a scan on the IP address on urlscan.io and it came back with some interesting history... looks like it's been used to spoof Verizon and ATT websites in the past, looking at the history. https://urlscan.io/result/b3efc554-4606-4308-a6a2-ab81eb03bc09/related/ Opens a new window I would really be scrutinizing this server. AV scans, even running a Wireshark capture of its traffic to see what's trying to get out of your network. Spice (2) flagReport 3 found this helpful thumb_up thumb_down * On The Off Chance This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. poblano Aug 18th, 2021 at 8:46 AM Yeah I mean Cobalt Strike is a red-team pentesting tool (licence 3500 USD a pop per year) but there are cracked versions on the dark web, being actively used by malactors. It's extremely versatile and can serve multiple purposes. Being email server maybe that's how the signature got onto your system? I'm not sure if it's wise to have an Internet-facing server serving as a backup server as well but (since I don't know too much on that particular topic) I assume you've got an infected file sent as attachment in some email. Maybe try to find out which email message exactly and you'll probably get more data off the header. In any case, please do keep us in the loop what you find after the AV scans (obv w/out revealing sensitive data re your systems). edit: I also assume you're running Exchange (which has had many reports recently of significant flaws) which I strongly advise against but only you know what is your situation. We use Gmail and can make use of its Admin console. I haven't really used Exchange so I can't give advice on how to trace and/or identify stuff on there. Also, eventually you may contact the IP range holder and let them know (if they don't already lol) their service is being used for malicious purposes. Spice (3) flagReport 1 found this helpful thumb_up thumb_down * Bryce7347 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. jalapeno Aug 19th, 2021 at 4:00 AM If a beacon is on your systems and trying to transmit its presence back then that can't be good, lets hope it is a false positive. With regard to an anti-virus scan, in a cobalt strike beacon operators guide it has this to say: A Note about Anti-virus. It’s a common misconception that anti-virus catches the Metasploit Framework’s payloads. This is not true. Anti-virus products catch artifacts that try to stage a payload. It doesn’t matter if this payload is Meterpreter or Beacon. Some artifacts (MS Office Macro attack, Cobalt Strike’s Java Attacks) get past some anti-virus products. Others (Generated EXE) do not. When you generate an artifact to deliver Beacon, you will need to account for anti-virus. Since Beacon and Meterpreter use the same stagers, techniques that get Meterpreter past anti-virus will get Beacon past anti-virus too. https://blog.cobaltstrike.com/2013/09/12/beacon-an-operators-guide/ Opens a new window I find interesting reading via https://otx.alienvault.com/ Opens a new window - in the past month they have had 4 or more 'pulses' all to do with Cobalt Strike, you might like to take a browse. For instance: cobalt strike indicators q3 2021 Opens a new window or IcedID and Cobalt Strike vs Antivirus Opens a new window. The 'reference' links have interesting reads. I think the machine may need a thorough inspection, maybe from an independent OS booted to scan it... (however, I am not a security expert) Spice (2) flagReport Was this post helpful? thumb_up thumb_down * L0lo95 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. poblano Aug 19th, 2021 at 1:59 PM you should block that address on your firewall. A virus total scan shows that 2 vendors have flagged that address as malicious. It is also showing as some indicators of compromise. It is also linked to a malicious file "filemercadona.jnqrvwxyzBDDE.vbs" I would recommend you blacklist that address and start an investigation. Spice (1) flagReport Was this post helpful? thumb_up thumb_down lock This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. READ THESE NEXT... * SNAP! -- ROLLERBLADING ROBOT, CYBORG COCKROACHES, AI PI, 20-FOOT DONKEY KONG Spiceworks Originals Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: April 13, 2000: Metallica Sues Napster (Read more HERE.) Bonus Flashback: April 13, 1970: Oxygen Tank on Apollo 13 Explodes (Read more HERE.) You need to hear this... * * SPARK! PRO SERIES - 13TH APRIL 2023 Spiceworks Originals Today in History: Fans toss candy bars onto baseball field during MLB gameOn April 13, 1978, opening day at Yankee Stadium, the New York Yankees give away thousands of Reggie! bars to fans, who naturally toss them onto the field after star outfielder ... * REMOTE WORKER CONTENT FILTERING Security GreetingsI am in the process of looking for a product to help protect and monitor employee network traffic. My biggest hurdle is that 75% of my employees all work from home. Does anyone have any suggestions for products that would monitor web traffic and ... * SALARY NEGOTIATIONS? IT & Tech Careers SpiceHeads,If you get a offer from a company and sign off on it and during the onboard process background checks , drug test etc.You get another offer for more money can you go back to the 1 st offer of the job you really want and ask for more or how woul... * IT ADVENTURES: EPISODE THREE -- DANGER Holidays Tell a Story day is coming up on April 27th, and were working on an interactive story for it. Here's the idea. Below, there will be a story prompt which is sort of like a Choose Your Own Adventure, except that the rest of it isn't written. ... * About * Contact * Support * Press / Media * Careers * SpiceWorld * Blog * * * * * * Sitemap * Privacy Policy * Terms of Use * Guidelines * Accessibility Statement * Do Not Sell My Personal Information * © Copyright 2006 - 2023 Spiceworks Inc. WE CARE ABOUT YOUR PRIVACY If you consent, we and our partners can store and access personal information on your device to provide a more personalised browsing experience. This is accomplished through processing personal data collected from browsing data stored in cookies. You can provide/withdraw consent and object to processing based on a legitimate interest at any time by clicking on the ‘Manage Preferences’ button.Our Privacy Policy WE AND OUR PARTNERS PROCESS DATA TO: Store and/or access information on a device. Personalised ads and content, ad and content measurement, audience insights and product development. Our Partners Reject All I Accept More Options