SOC INCIDENT LOG BOOK

No. Incident No. Category Date Incident Description

1 ICM119381168 P3 - Moderate 1 Oct 2018 16:56:40 PM till JTrust Bank- ZmEu

1 Oct 2018 16:58:40 PM Exploit Scanner activity
detected from Source
179.51.66.45 towards
10.100.1.6
2 ICM119475602 P4 - Low 11 Oct 2018 19:16:12 EST JTrust Bank: Possible
Spam Email Alert
Triggered on Device
Address
192.168.118.100
 Incident Detail

The SOC detected a host ( 179.51.66.45 - Dominican Republic Based ) using a

malicious script or vulnerability assessment tool in an effort to probe your network to
identify known vulnerabilities or exposures. As there is no authorisation for this host the
SOC is considering it an unauthorised assessment on your network. Should this attacker
be successful at locating potentially exploitable vulnerabilities follow up attacks are likely
to occur.

We have observed this scan from 179.51.66.45 targeting destination 10.100.1.6.

We have observed this incident in between 1 Oct 2018 16:56:40 PM till 1 Oct 2018
16:58:40 PM ( Indonesian Time ( GMT+7))

The Source Zone Name : 179.0.0.0-179.255.255.255 (IANA) and the Destination Zone
Name : JTrust Bank Fall Back Zone 10
Asset criticality: unknown (0)
The source address is located in Dominican Republic . We have obtained the following
whois information:
IP Location Dominican Republic Santo Domingo Mercado Electronico Dominicano
ASN AS52471 Columbus Networks Dominicana, DO (registered May 10, 2013)
Whois Server whois.lacnic.net
IP Address 179.51.66.45
inetnum: 179.51.66.40/29
status: reallocated
owner: Mercado Electrónico Dominicano
ownerid: DO-MEDO6-LACNIC
responsible: Ignacio Zanotto
address: Av. John F. Kennedy, 14,
address: - Santo Domingo - DN
We have also investigated the source reputation and as per NTT Security Threat
intelligence : It has a Malicious reputation
The following signature was triggered upon detection of this event:
HTTP: ZmEu Exploit Scanner ( Device action - Unknown)
The device action specified for this signature is " Unknown " . The attempt was not
dropped.
The sample alert detail is given below -
Name : HTTP: ZmEu Exploit Scanner
Manager Receipt Time : 1 Oct 2018 16:58:38 PM
Application Protocol : HOPOPT
Customer Name : JTrust Bank
Category Technique : /Exploit/Vulnerability
Category Outcome : /Attempt
Device Severity : Medium
Device Action : Unknown
Device Direction : Outbound
Device Host Name : IPS-IB02
Device Address : 10.87.1.15
Device Vendor : McAfee
Device Product : Network Security Manager
Device Inbound Interface : Vlan_15_Data
Source Address : 179.51.66.45
Source Zone Name : 179.0.0.0-179.255.255.255 (IANA)
Source Dns Domain : smtp2.med.com.do.
Source Geo Country Name : Dominican Republic
Destination Address : 10.100.1.6
Destination Zone Name : JTrust Bank Fall Back Zone 10
ACTION_CODE : 200
IV_ADMIN_DOMAIN : My Company
Note the traffic is currently being allowed by the IPS : IPS-IB02 (10.87.1.15) . However
we haven't seen any reverse traffic towards the attacker IP.

SOC has Observed Multiple Malware Alerts on Fortinet Email Gateway Device Address
192.168.118.100.

Below are the Details of the Triggered Alert:

Name : statistics

Message : FW: New enquiry (PO-5000659)

End Time : 11 Oct 2018 19:16:12 EST
Device Event Category : in
Device Severity : information
Device Action : Reject

Device Event Class ID : statistics

Device Host Name : Email Gateway
Device Address : 192.168.118.100
Device Zone Resource : JTrust Bank Fall Back Zone 192.168
Device Time Zone : Australia/Sydney

Device Vendor : Fortinet

Device Product : Fortimail
Attacker User Name : biz3@yikang-marine.com
Target Address : 192.168.6.100
Target Zone Resource : JTrust Bank Fall Back Zone 192.168

Target Dns Domain : jtrustbank.co.id

Target User Name : nozomi.kitaoka@jtrustbank.co.id
Device Custom String1 : w9B8G5Vk016666-w9B8G5Vl016666

Device Custom String6 : W32/Injector.EAYF!tr

Name : virus:
Message : The file New enquiry (PO-5000659).gz is infected with W32/Injector.EAYF!tr.

End Time : 11 Oct 2018 19:26:12 EST

Device Event Category : virus:infected

Device Severity : information
Device Event Class ID : 17178

Device Host Name : Email Gateway

Device Address : 192.168.118.100

Device Zone Resource : JTrust Bank Fall Back Zone 192.168

Device Time Zone : Australia/Sydney
Device Vendor : Fortinet
Device Product : Fortimail
Attacker User Name : biz3@yikang-marine.com
 Analysis Impact Recommendation

ZmEu is a computer vulnerability
scanner which searches for web
servers that are open to attack
through the phpMyAdmin program .
The attack is harmless if
phpmyadmin is not utilised in the
target web server
We are considering this activity as 1- Place the signature " HTTP: ZmEu
moderate severity since traffic is Exploit Scanner " in block mode to
currently being allowed . However avoid future attempts.
we haven't seen any reverse traffic
towards the attacker IP.

Successful exploitation of a 2- We recommend to check if the

vulnerability may result in potential
losses to confidentiality, integrity,
or availability.
targeted destination web server runs
phpMyAdmin. If so kindly check if they
are vulnerable to above mentioned
vulnerability
3- Block the offending IP -
179.51.66.45
- We have Observed multiple
Instances of similar Activity.
- The Attacker is Targetting multiple Successful infection may cause
Internal Users of JTrust Bank.
- The Device Action seems to be
Rejected. However, we also see
"virus:infected" Alert on Device
Address 192.168.118.100 .
- The Attacker Username belongs to Yikang Marine Services Co. Ltd. .However,
Below are the JTrust Internal User-
Names to which the Email was sent:
- fabiola.agnes@jtrustbank.co.id
- dian.apryani@jtrustbank.co.id
- nozomi.kitaoka@jtrustbank.co.id
We believe the Alert was triggered
as the Email Gateway encountered
a Malware
Signature(W32/Injector.EAYF!tr).
We are raising this case to confirm if
the Email Activity is Legitimate or
not.
As the traffic is currently blocked, We recommend you investigate the
we have determined this activity to targeted asset locally to determine if it
be low. Often malware will attempt is indeed infected. It is primarily
to propagate to other internal or recommended to isolate the asset from
external networks, so it is the network until the malware is
important to have this issue contained and eradicated.
addressed as soon as possible.
Please consider using anti-virus
losses to confidentiality, integrity, software and registry inspection tools
or availability. to diagnose and clean the infection.
If it is not possible to isolate the asset
from the network, then ensure
appropriate anti-virus scanning can be
performed. Also, ensure that the
engine has the latest updates
available.
If after scanning
we have no
observed
malwareEvidences
has beensuggesting Poss
identified, please let the SOC know so
we can assist you further.
Also Please confirm if the Infected
File has been Cleaned, Quarantined
or Deleted.
We saw the Initial attempt at 11 Oct
2018 19:16:12 EST.
Note the traffic is currently Rejected
by the Fortinet Email Gateway
Device Address 192.168.118.100.

Kindly Investigate and Update us.

Please find the Attached logs for
further Details.
 Corrective Action Status

HTTP: ZmEu Exploit Closed

Scanner already blocked 02-10-2018

Targeted destination web Closed

server not run 04-10-2018
phpMyAdmin.

Offending IP - 179.51.66.45 Closed

already blocked 04-10-2018
Open