Symantec Reported Nuclear Exploit Kit Website Attack

I'm running Symantec Endpoint Protection 12.1.6 on a Windows 7 PC. It's joined to a Windows 2003 Server.  (We're working on migrating away from server 2003.)

This morning I got a Symantec popup with the message 'Nuclear Website Attack'  I checked the Symantec traffic log and do see incoming ethernet traffic being blocked.  The MAC addresses show, but no IP addresses.  I ran arp-a and found MAC addresses, but they don't match the Source MAC addresses being blocked.  There are a few static IP addresses that come up in a totally different range than what I use.  (I don't know if that's a problem or not.)

Any ideas on how to run down the source of the problem?

Thanks,

Steve
LVL 2
stkoontzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You need to find network port which has exploit kit active and attacking rest of machines using MAC addresses and disconnect it ASAP. Assume your unpatched windows server is hacked but dormant too.
btanExec ConsultantCommented:
This is because the Symantec's IPS is blocking an intrusion attempt on your system.
This alert can be caused when you visit any untrusted link. If you are getting this alert while browsing , then your system is safe up till now. AS a precaution, you can delete your browser cookies to prevent repetation of this trigger.
http://www.symantec.com/connect/forums/sid-25701-web-attack-exploit-toolkit-website-4-detected-traffic-has-been-blocked-application

Also see if the Intrusion Prevention or Network Threat Protection logs within the Endpoint Protection Manager (SEPM). These are separate from the antivirus logs and events. To view all of the Intrusion Prevention or Network Threat Protection events. You should be able to see "Remote Host IP"
1. Log onto SEPM
2. Click on the “Monitors” button
3. Click on the “Logs” tab
4. Select the "Network Threat Protection" log type
5. Select the "Attacks" log content
6. Click the "View Log" button

Ref - Do see the IPS alert section
http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6404/en_US/Network%20Intrusion%20Prevention%20System%2011.x%20User%20Guide.pdf
gheistCommented:
You can sniff some colds browsing cookies - delete them and use better browser in future....
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

btanExec ConsultantCommented:
rightfully such redirect of malicious site or even "foul play" malvertisement should be alerted by browser itself too.

For info, Nuclear exploit kit is capable to deploy a wide range of attacks, from Flash, Silverlight, PDF, and Internet Explorer exploits to the possibility of launching advanced pieces of malware and ransomware. Latest Nuclear exploited (CVE-ID: CVE-2015-0336) on Adobe Flash Player

Besides the SEP itself, suggest the below too for vigilances.
•Keep your Windows operating system and your vulnerable software up-to-date with the latest security patches, in this case Adobe Flash Player.
•Create a Backup for your operating system or for your most important data.
•Control the Adobe Flash Player browser integration is to enable this “click-to-play” plug-in that lets you control the Flash Player content loading.
If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft
See http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Flash player is included in windows 8.1 and you need to rip away all internet explorer feature to get rid of that....
stkoontzAuthor Commented:
Thanks for everyone jumping in to help.  How do I tell if the attacks are coming from another computer on the network or a website I visited?   That seems to be the place to start.

I didn't have SEPM installed on the server.  I'm downloading and installing it now.

Steve
gheistCommented:
It is too late to install.
Your SEP logs can tell IF you browsed bad website or some sweepscanned SEP management webservers and planted trojans there...
stkoontzAuthor Commented:
gheist,

Under "Network Threat Protection" the "Packet Log" comes up blank.    The "Traffic Log" is showing the blocked ports.

Here's the info...

Protocol - Ethernet
Action - Blocked
Remote MAC - 10-BD...
Severity: 10
Direction: Incoming
Remote Host 0.0.0.0
Remote Port: 0
Local Host: 0.0.0.0
Local MAC: 01-00...
Local Port: 0
Application: blank
User: has my login name
User Domain:  has my domain name
Location: Default
Occurrences: 1
Begin Time: About every second a new one hits
Rule: Block All
gheistCommented:
Can you recover 1st three octets of remote MAC to look up in IEEE list who made network card to help you troubleshooting?
stkoontzAuthor Commented:
What is "IEEE" list?
gheistCommented:
IANA of MAC addresses.
stkoontzAuthor Commented:
I'm a newby with all of this.  What is IANA?
gheistCommented:
Here you find manufacturer of the offending network card (if that is your router attack comes from outside and Symantec saved your day, if it is other machine prepare for weekend reinstall session)
http://standards-oui.ieee.org/oui.txt
IANA is organisation that deals IP addresses to continents, then continental IP registries hand smaller pieces to providers in continent.
stkoontzAuthor Commented:
I looked 2 of the Remote MAC addresses up.  One is from Cisco Systems.  The other 2 are from Apple.  what does that tell me?
btanExec ConsultantCommented:
i also notice the protocol is Ethernet which refer to the family of local-area network (LAN). It should be coming from some Cisco device in the LAN, may be good to identify that device/system by searching out the device/system via it's MAC address. That device may be doing some "default enabled" broadcast over IPv6 and over IPv4. Any maybe using AppleTalk etc.
See this http://www.symantec.com/connect/forums/network-threat-protection-logs-show-blocked-incoming-0000
Regardless, I am suspecting if Cisco is just another proxy through from the remote host. Maybe log from the Cisco can help to correlate the remote source..
stkoontzAuthor Commented:
We have 1 Cisco switch on the network, but the MAC address on the switch and the remote MAC address in SEP have different MAC addresses.  Just the last 2 digits are different, though.

I logged into the Cisco switch and found the logs.  There's nothing in there dated past 2012.

Thanks for helping me with this.  I do appreciate it.

Steve
gheistCommented:
set the clock on cisco ....
sadly with crumbles you pass it is hard to help with your incident.
Traffic logged and shown is not related to incident at all
Please take your time to review logs
Symantec says you browsed nasty sites,
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23534
If you did so with old plugins without EMET you will never get past rootkits installed to see what really happened.
stkoontzAuthor Commented:
I don't understand 'set the clock on cisco....'  

Steve
gheistCommented:
when you power on cisco router it charges clock supercapacitor and starts to count time from first minute of odd year UTC
Given clock is years off it is of no value for analysis.
Please check *ALL* logs for any notice of exploit kit. there should be one.
stkoontzAuthor Commented:
I looked carefully through all the menu options and looked through anything that looked like a log.

I'm way over my head.  I appreciate the help, but I'm going to have to call our network consultants to see if they can look at the system since I'm not able to give you the information you need to help me solve the problem.

Steve
gheistCommented:
I'd call symantec first, they will know better what action you have to take (their help says  yoou have to take action)
btanExec ConsultantCommented:
If you do have any other hardware device such as the internet router, web proxy or even firewall, do look at their log and see any recent or alert. Also can check your client machine event log to see any anomalous events thay worth a hint. Good to get those network and infra team to chip in too..

Just to share also that recent it is reported that many Wordpress based sites are exploited and exploited to redirect user browsing its site to Nuclear kit laden server infecting that same user. This may be an instance your user has done that too and victimised. The network logs from proxy will tell..of those visit.. Or browser history possibly..
https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html
David Johnson, CD, MVPOwnerCommented:
One of the most infamous exploit kits known as “Nuclear” has implemented an exploit in Adobe Flash Player that was patched just a week ago. The exploit in question is related to CVE-ID: CVE-2015-0336.

If you have not patched your Adobe Flash Player yet, you should do it as soon as possible. This exploit kit is able to deliver malicious code to Windows operating systems that lack the latest security patch from Adobe. The problem becomes so much more severe if we take into account that now this exploit kit is able to deliver not data stealing malware, but ransomware.
http://bit.ly/1NF4kOn
stkoontzAuthor Commented:
Thanks for the help.  I think it's under control now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.