Are you all getting this notiffications…?
We manage plenty of tenants, and all getting this alerts. I tried to disable them turning them off, but still getting e-mails.
Created a Critical case on the support center, but no response yet.
Thoughts?
Are you all getting this notiffications…?
We manage plenty of tenants, and all getting this alerts. I tried to disable them turning them off, but still getting e-mails.
Created a Critical case on the support center, but no response yet.
Thoughts?
We’ve gotten a handful of those. None of our other tools are alerting and on one of them the address was reported as “slscr.update.microsoft.com”, which is Windows Update. So it appears to be a false positive, but we’re monitoring.
Thank you @lwagner , really appreciate.
No statement yet from Rapid7…
Please do update this if you hear something just so we’ve got confirmation. Thanks!
Created By : Salesforce System 8/9/2024, 11:12
Hey mmur, How are you? Yes we are seeing this coming in for many customers at the moment as the detection rule was updated with additional IoCs. I would recommend if you see these alerts as benign to implement your own exceptions while our detection rule team looks into the alert. Kind Regards, Lee How am I doing?
Interesting, when I looked at the rule it is turned off, but the date modified is still in July…
Hi there. The rule has been turned off for evaluation. Yesterday IOCs were added from a recent CISA report related to BlackSuit.
was this turned off because of these alerts? it says last modified July.
I did it myself but still receiving alerts…
Interesting because in that case how trustworthy are the datestamps?
We haven’t received any since about 30 minutes ago.
I’ve been hit with a load of these, IPs track back to MS but they’re all listed in here - #StopRansomware: Blacksuit (Royal) Ransomware | CISA
Glad I found this thread, I nearly puked
15 for me, thanks for the feedback
I’m laughing at your post because it looks like you went through the same process as me -
I think in this case, CISA did a pretty poor job at attribution and should of done a lot more work before including all those IOCs in the report.
we received 5 notifications which matched this
“destination_address”: “93.184.221.240”,IPHub
“destination_port”: “80”,
this is the IOC entry from CISA: https://www.cisa.gov/sites/default/files/2024-08/aa23-061a-stopransomware-blacksuit-royal-ransomware.pdf
93.184.221[.]240 July 2024 IP associated with reverse lookup of Socss.exe
so can we ignore it?
Based on the information gathered both from looking at the domains in the investigations and information from this threat and the CISA page linked in this thread. Combined with the fact that it looks like Rapid7 has turned the detection rule off for our environment. I would say its most likely a false positive caused by attribution error. But keeping an eye out for further information. Or maybe a message from Rapid7 themselves.
Have there been any additional updates on this issue over the weekend? We got a lot of these alerts last Friday and put our entire department on high alert.
It seems like it is likely a false positive, but I’d like to see an official statement or something.
Hey @cpitcher , no statement at all, at least they replied me last night with the following:
"Hi,
Our SOC Team has notified us that the detection rules have been re-enabled, and the correct rules are now in place.
Suspicious Process: BlackSuit Related Binary Executed
Suspicious Asset Authentication: Hostname Related to BlackSuit Ransomware
Suspicious Web Request: BlackSuit URL Observed
Please let us know if you have any further questions or concerns.
Amr Saleh
Senior Manager, Technical Support
Rapid7"
Thank you!