How can we prevent Intrusion.Generic.CVE-2021-44228.a attacks?

[LouisLewis]

Hello,

Our company recently experienced a brief attack with the IP address and attack method shown in the attached image. Although we are using KES and have a firewall in place, this attack still caused a temporary disruption to our service.

I'm concerned that this might happen again in the future, so I would like to ask if anyone with experience in handling such situations could help me with a solution to improve our protection. Or could it be that I have not configured KES properly?

Thank you,

[Renan Corassa]

Does the organization have any active vulnerability scanning tools?

[KarDip]

Hello @ LouisLewis

 

To address the attack and improve your protection, I’ll walk you through several possible solutions to enhance your Kaspersky Endpoint Security (KES) configuration and bolster your network defenses. Since this attack caused a disruption, it indicates either a potential misconfiguration or an area where additional layers of protection are needed.

Here’s a step-by-step approach to strengthen your setup:

---

1. Review Kaspersky Configuration and Policies

Application Privilege Control:

• Ensure Application Control is fully enabled and configured.
• Set up Network Rules to restrict certain IP addresses or block applications that attempt suspicious outbound or inbound connections.

Intrusion Detection and Prevention (IDS/IPS):

• Enable the Network Attack Blocker feature in KES if it’s not already active. This module can detect and prevent suspicious network behavior.

Web Control:

• Use Web Control policies to block access to malicious sites or IPs flagged during the attack.
• Cross-check the IP in Kaspersky’s threat intelligence or an external source like VirusTotal to confirm its malicious intent.

---

2. Block the Attacking IP Address on the Firewall

Even though KES offers endpoint protection, it is crucial to complement it with perimeter defenses.

1. Add the IP to your firewall blocklist.
2. Use Geo-blocking if the attack originates from a suspicious or irrelevant region.
3. Implement Rate Limiting or Traffic Shaping on your firewall to mitigate DDoS or flood attacks.

---

3. Enable Firewall and Host Intrusion Prevention on Endpoints

Make sure that KES Firewall is properly configured:

• Add a custom rule to block the specific IP address involved in the attack.
• Enable Host Intrusion Prevention (HIPS) to detect and block exploitation attempts on endpoints.

---

4. Update Threat Feeds and Indicators of Compromise (IoC)

1. Use Kaspersky's Threat Intelligence feeds and any available IoCs to proactively block known bad IPs or domains.
2. If your KES has EDR (Endpoint Detection and Response) or Threat Hunting capabilities, upload any indicators (e.g., the attack method or IP address) to block future attempts.

---

5. Advanced Logging and Alerts Setup

Enable event logging and notifications in Kaspersky Security Center (KSC):

• Configure alerts for specific events such as repeated failed login attempts, new IP connections, or brute force attacks.
• Integrate KSC with your SIEM solution to get real-time monitoring and correlate logs for suspicious activity.

---

6. Check for Configuration Gaps

1. Run a KES Policy Audit:
   Make sure all machines have the latest KES policies applied.

   • Use Security Profile Reports in KSC to identify any endpoints with incorrect configurations.

2. Install Kaspersky Network Agent (NA) on all endpoints to ensure real-time communication with KSC. This helps with quick policy updates and ensures accurate reporting.

---

7. Complementary Security Measures

• Implement Multi-Factor Authentication (MFA): This mitigates risks from unauthorized login attempts.
• Patch Management: Ensure all software on your endpoints is up-to-date to avoid vulnerabilities.

---

Summary of Actions:

• KES Configuration: Ensure IDS/IPS and firewall rules are configured correctly. Add IP-specific block rules.
• Firewall Configuration: Block the attacker’s IP and implement rate limiting.
• Alerts & Notifications: Enable logging and alerts for suspicious activity in KSC.
• Threat Intelligence: Regularly update Kaspersky with IoCs and threat feeds to block known malicious IPs proactively.

By reinforcing both KES and your network firewall, you’ll minimize the chances of a future attack causing service disruptions. If you need help auditing your Kaspersky setup or configuring any of the above features, let me know!

Thank you

Edited October 19 by KarDip
Spellchecker

[Gigabyte]

I got this issue with the same CVE nearly every few weeks for a long time. The attacker was from my Unifi Access Point to the Kaspersky Security Center server. There were several Unifi Access Point devices on my site and not only from a specific one. The Access Point was already updated to the latest version.

The network attack report only showing from Access Point IP to the Kaspersky Security Center server (KES installed). Also my question is the attacker really from the AP itself or from the connected AP devices?

Edited October 28 by Gigabyte

[KarDip]

8 hours ago, Gigabyte said:

I got this issue with the same CVE nearly every few weeks for a long time. The attacker was from my Unifi Access Point to the Kaspersky Security Center server. There were several Unifi Access Point devices on my site and not only from a specific one. The Access Point was already updated to the latest version.

The network attack report only showing from Access Point IP to the Kaspersky Security Center server (KES installed). Also my question is the attacker really from the AP itself or from the connected AP devices?

Hello @Gigabyte

This sounds like a very a complex issue, but I’ll TRY an help you break it down and determine whether the attacks are originating from your UniFi Access Point (AP) itself or from devices connected to it. Your scenario points toward the possibility of compromised AP devices, misconfigurations, or vulnerabilities in your wireless infrastructure. Here's a structured approach to investigate and resolve the issue.

---

1. Possible Attack Sources

• Compromised UniFi APs: Even with the latest firmware, APs can be exploited if the configuration isn’t secure or there are backdoors.
• Connected Devices (Clients): If the attack originates from an infected or rogue device connected via the AP, it would appear in your logs as traffic from the AP’s IP address.
• Spoofed Traffic: Attackers may spoof the AP’s IP, making it look like the AP initiated the attack.
• Internal Exploitation: Misconfigured access controls or network segmentation issues could allow lateral movement across your infrastructure.

---

2. What is the CVE Mentioned?

If the attacks are recurring with the same CVE (Common Vulnerabilities and Exposures):

• Research the specific CVE to understand if it is linked to:
  • Firmware or software vulnerabilities on the UniFi AP.
  • Kaspersky Security Center vulnerabilities (if it affects the KSC endpoint server).
  • Any related vulnerabilities that allow lateral movement between connected devices.
• Ensure both Kaspersky Security Center and UniFi firmware are patched for the CVE mentioned.

---

3. Confirming if the Attack is from the AP or Connected Devices

Approach 1: Isolate and Monitor the APs Individually

• Disconnect one AP at a time and monitor if the attacks stop.
• If the attacks persist regardless of the AP, the source could be an infected device connecting to multiple APs dynamically.

Approach 2: Use UniFi Controller Logs and Statistics

• Access the UniFi Network Controller to view connected client history and network statistics.
• Cross-reference timestamps between the UniFi logs and the attack attempts in the Kaspersky Security Center report.
• Look for unusual traffic from specific MAC addresses or devices connected to the AP.

Approach 3: Enable AP Client Isolation and Monitor

• Enable client isolation on the UniFi APs to block direct communication between clients.
• Monitor if this limits the attacks, which may indicate the issue stems from client devices.

---

4. Hardening the UniFi AP and Network Infrastructure

Even if the AP firmware is up to date, additional hardening can help:

1. Restrict SSID Access:
   • Use MAC address filtering and VLANs to separate critical and guest networks.
2. Enable WPA3 or Strong Encryption:
   • Ensure WPA3 or the latest security standard is enabled.
3. Segment the AP Network:
   • Place APs on a separate VLAN to restrict access to internal services, like the Kaspersky Security Center.
4. Disable Unused Services:
   • Turn off unnecessary AP features (e.g., mesh networking if not required) to reduce the attack surface.
5. Limit Device IP Range:
   • Restrict the IP pool assigned to AP clients to detect unexpected devices.

---

5. Conduct a Network Security Scan and Device Health Check

• Use tools like Nmap or Wireshark to scan the network for open ports, suspicious activity, or rogue devices.
• Perform device health checks on all AP-connected devices to ensure they are not infected with malware.

---

6. Use Kaspersky's Security Features to Strengthen Defense

• Restrict Network Traffic: Use Kaspersky's Network Attack Blocker to block unwanted traffic originating from the AP IP range.
• Apply Firewall Rules: Set up rules on Kaspersky Security Center to block unnecessary inbound connections from the AP segment.
• Configure Alerts and Automated Actions: Ensure Kaspersky generates real-time alerts for attacks and isolates the targeted system automatically when needed.

---

7. Prevent Spoofing and Network Scanning Attempts

• Enable ARP poisoning/spoofing prevention in both UniFi and firewall settings.
• Use IDS/IPS systems to detect and block IP spoofing attempts.

---

Next Steps

• Evaluate AP Behavior: If the attacks persist from multiple APs, it’s likely that connected client devices or malware inside your network is the issue.
• Check UniFi Support/Forums: Search or open a ticket with UniFi support to see if others have reported similar issues.
• Audit All Connected Devices: Consider performing penetration tests or a network audit to catch infected devices within the network.

---

By systematically isolating the APs, analyzing logs, and securing both APs and client devices, you should be able to narrow down the attack source. Let me know if you need further guidance on any specific step!

Thank you

Edited October 28 by KarDip
edit content

[KarDip]

Hello @Gigabyte

Quote: Also my question is the attacker really from the AP itself or from the connected AP devices?

____________________________________________________________________________________________________________________________

Okay to determine whether the attack is originating from the UniFi Access Point (AP) itself or from devices connected to it, here’s how you can distinguish between the two possibilities systematically:

---

Scenario Analysis: AP vs. Connected Devices as Attack Sources

Case 1: Attack Originating from the AP

• Firmware Exploitation: The AP may have been compromised despite the latest updates (e.g., a backdoor exploit or misconfiguration).
• Rogue AP Setup: If someone managed to modify the AP settings, it could act as a pivot point to attack internal systems.
• Network Traffic through the AP IP: In this case, the logs will only show the AP’s IP address as the source, which may mask the real attacker.

Case 2: Attack Originating from Connected Devices (Clients)

• Malware-Compromised Devices: A connected client (e.g., a phone, laptop, IoT device) could be launching attacks, and the AP acts merely as a transit point.
• IP Address Translation: Since all devices connected to the AP may use NAT (Network Address Translation), the traffic will appear to come from the AP IP, complicating attribution.
• Rogue Device on the Wi-Fi Network: An attacker may have connected a malicious device to your AP (e.g., through weak Wi-Fi security) and used it to attack your systems.

---

Steps to Identify the Real Source of the Attack

1. Review UniFi Controller Logs

• Access the UniFi Network Controller and check for:
  • Client connection history and MAC addresses.
  • Unusual or unexpected devices connected to the AP.
  • Network statistics showing suspicious traffic patterns originating from specific devices.

Tip: Look for devices sending large volumes of traffic or unusual connection attempts around the time of the attack.

---

2. Perform Packet Capture on the AP and Network

• Use Wireshark or the UniFi Controller’s built-in packet capture tool:
  • Set the capture to monitor traffic between the AP and the Kaspersky Security Center server.
  • Analyze the source MAC addresses and IPs to see if the attack originated from a specific device connected to the AP.

---

3. Temporarily Disconnect Suspected APs

• Power down individual APs and observe if the attack attempts stop.
  • If the attacks continue after disconnecting the AP, the attacker is likely using another AP or network segment.
  • If the attacks stop, the compromised AP or devices connected to it may be responsible.

---

4. Enable Client Isolation on the AP

• Activate client isolation to block connected devices from communicating with each other or the internal network (except for internet access).
  • If the attack stops after enabling isolation, it confirms that one or more connected devices were causing the issue.

---

5. Cross-Check with Kaspersky Logs

• Check the Kaspersky Security Center’s network logs:
  • Look for port numbers, protocols, and attack patterns to match with the AP or client behavior.
  • If the logs show consistent attacks from the AP IP, the devices behind it may need further inspection.

---

6. Use a Network Scanning Tool (e.g., Nmap)

• Scan the AP’s network segment for:
  • Open ports or unusual services running on the AP.
  • Infected devices or unauthorized devices connected to your network.

---

7. Monitor for Rogue Devices or SSID Cloning

• Ensure the AP itself hasn’t been compromised by:
  • Checking for unauthorized SSIDs.
  • Scanning for rogue devices pretending to be legitimate clients.

---

Conclusions Based on Findings

• If the attack continues with AP disconnected:

  • The attacker is likely on another AP or has spoofed the AP’s IP.

• If the attack stops with AP disconnected:

  • The AP itself might be compromised, or the issue lies with one of the connected devices.

• If packet captures reveal multiple devices attacking:

  • It indicates infected devices using the AP as a gateway.

---

By following these steps, you’ll be able to pinpoint whether the attack is coming from the AP itself or devices connected through it. Let me know if you need any help with analyzing logs or further network security configurations!

Thank you

[Gigabyte]

Yes, it's a complex issue and will waste lot of time. The current policy is to block the attacker IP for 1 hour. That means the KES on the Unifi Network Application console server would block the communication with the attacker AP. The Unifi AP would not block the connected devices and still running. No other server (KES installed) or device (KES installed) was affected. No current connected device user was reported any issue. Had already tried to search some logs but seems normal. Couldn't find the similar case on Unifi community as it's so rare with the KES and Unifi Network Application console installed on the same server now.

Just to keep monitor and apply the latest firmware and software update.

[KarDip]

Hello @Gigabyte

You’re absolutely on the right track by blocking attacker IPs temporarily and focusing on keeping everything up-to-date. The combination of Kaspersky Endpoint Security (KES) and Unifi Network Application running on the same server does introduce unique complexities, especially when managing network security in tandem with endpoint security. Let’s optimize your monitoring and incident response a bit further.

Suggested Steps to Streamline Your Approach:

1. Adjust Temporary IP Blocking Policy for KES

• If you notice multiple repeated attacks from the same IPs, consider increasing the block time from 1 hour to 24 hours or longer to reduce workload.
• Use Kaspersky's automatic response settings to log attack sources more effectively and identify persistent threats.

2. Check Kaspersky Logs More Thoroughly

• In KES, look under:
  Copy code

  Reports → Intrusion Detection or Network Threat Protection
• Look for event logs that indicate blocked attacks and cross-reference the exact timestamps with the Unifi Network Application logs.
• This can help determine whether it’s a real attack or an environmental quirk (e.g., false positives from network probing tools).

3. Enable KES Application Control Policies (if not already active)

• Set rules that restrict the Unifi Network Application’s communication to trusted IPs only.
• This reduces the risk of malicious actors exploiting vulnerabilities in either the network or application console.

4. Unifi Controller Logs and Device Segmentation Strategy

• Even though the Unifi APs remain functional when KES blocks an IP, it’s worth checking:

  • Events and Alerts in the Unifi Network Console: Look for anomalies like multiple disconnections or abnormal bandwidth usage.
  • System logs on the server hosting the Unifi application to confirm there’s no indirect issue.

• Use device grouping and segmentation to ensure critical infrastructure stays isolated from guest and IoT devices on the same network. This minimizes attack surfaces.

5. Regular Threat Intelligence and Firmware Sync

• Continue applying the latest firmware and software updates to both KES and Unifi systems.
• Subscribe to Kaspersky’s Threat Intelligence feeds and Ubiquiti’s community alerts to stay ahead of any vulnerabilities or zero-day issues that may arise in their platforms.

6. Automate Device Blocking via Unifi Policies (Optional)

• If attacks become more frequent, you can configure Unifi's firewall rules to temporarily block devices at the AP level, rather than relying solely on KES.
• This will ensure that malicious connections are dropped network-wide without affecting device usability.

7. Conduct a Test Simulation

• Simulate an intrusion attempt in a test environment to ensure both KES and the Unifi Network Application work harmoniously without introducing conflicts.
• This will also give insights into which logs to focus on for quick future troubleshooting.

---

In essence, it sounds like KES is doing its job well by blocking suspicious connections without disrupting regular operations. Keep up the monitoring efforts, and cross-check logs regularly to ensure alignment between KES and Unifi security policies. If the issue persists or escalates, a more permanent IP blacklisting strategy or additional network segmentation rules might help eliminate attack vectors more effectively.

Thank you

[Gigabyte]

Much appreciated for your advise and instructions. 👍