App: ActivateTBKS |
This Android app, pre-installed in The Creative Life (TCL) devices, can steal device and user data. It can also silently install and uninstall Android Application Packages (APK). |
Track down the endpoint by using the available details and uninstall the application. |
IPTV: Abandoned platform |
Endpoint is an abandoned Chinese-based IPTV platform. |
Track down the IPTV system by using the available details and disable the insecure application. |
IPTV: LiveTV add-on |
Endpoint is a software media center with abandoned Live TV add-on. |
Track down the IPTV system by using the available details and disable the insecure application. |
Mobile debug firmware: IMEI: 123XXX |
Mobile endpoint contains firmware with rootkit capabilities disguised as a debug tool, and should not be communicating. |
Use the available details about the device to track down the source, and then update or disable access to personally identifiable information and confidential data on the device. Ensure the device receives a thorough security review. |
Proxy auto-discovery configuration |
The communication was detected via sinkholing, so the communication was with an abandoned or expired domain not owned by your company through the Web Proxy Auto-Discovery Protocol (WPAD) indicating that it reached out externally and allows malicious actors to eavesdrop on the communication. Otherwise, the WPAD is safe to use on properly secured domains. |
Search tier web traffic logs, locate the system using the proxy, and then disable or update the proxy auto-discovery configuration. See troubleshooting. |
Service: SMB |
Endpoint is reaching out to Windows Netbios network via an abandoned domain. |
Track down the system accessing the SMB service by using the available details, and then reconfigure or disable the destination access. Reevaluate your systems contacting remote services. For additional security, block the SMB ports on company edge network infrastructure. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system. |
IPTV: Swarmcast |
Endpoint is using abandoned “Swarmcast” internet television services. |
Track down the IPTV system by using the available details and disable the insecure application. |
Remote management: Symantec patches |
Corporate endpoints are contacting abandoned domains from Symantec patch management solution (Altiris). |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Remote management: McAfee ePolicy |
Corporate endpoints are contacting abandoned domains from McAfee ePolicy Orchestrator (McAfee ePO). |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Remote management: Symantec EPM |
Corporate endpoints are contacting abandoned domains from Symantec Endpoint Protection Manager. |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Remote management: mydlink |
DLink routers are using abandoned service domains from “My DLink” portal. |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Remote management: TR-069 CPE |
Customer-premises equipment (CPE) devices are using the TR-069 protocol for remote management on abandoned domain names. |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Remote management: Citrix PN Agent |
Devices are using Citrix Received PN Agent over abandoned domains. |
Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application. |
Feedback
0 comments
Please sign in to leave a comment.