Zscaler Alert Details
Alert ID: ZSCALER-DRIVEBY-7842
Alert Time: 2024-02-11 14:22:35 EST
Severity: HIGH (85/100)
Source: Zscaler Internet Access (ZIA) + Cloud Sandbox
Rule: “Drive-by Compromise – Exploit Kit Activity”
MITRE ATT&CK: T1189 – Drive-by Compromise
Alert Details:
Transaction Details:
– User: rsmith@company.com (Robert Smith, Sales)
– Device: SLS-WS-089 (Windows 10)
– Time: 14:18-14:22 EST
– Action: BLOCKED (Advanced Threat Protection + Sandbox)
URL Chain:
1. hxxp://news-daily[.]com/article/7842 (Compromised news site)
2. hxxp://ads-traffic[.]net/script.js (Malicious ad)
3. hxxps://exploit-kit[.]xyz/landing (Exploit kit landing page)
4. hxxps://malicious-cdn[.]net/exploit.html (Browser exploit)
Threat Analysis:
– Site Category: Compromised News/Entertainment
– Exploit Kit: Fallout Exploit Kit (detected)
– Exploits Attempted:
– CVE-2023-1234 (Internet Explorer)
– CVE-2023-5678 (Chrome)
– CVE-2024-1111 (Edge)
– Sandbox Detection: Malicious redirect chain, heap spray attempts
Additional Context:
– User visited legitimate news site that was compromised
– Malicious ad injected via compromised ad network
– Zscaler blocked exploit kit landing page (category: Malware)
– No payload downloaded; block occurred before exploit delivery
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Zscaler threat analysis | Zscaler Admin Console | Confirmed exploit kit activity blocked |
| 2. Endpoint Check | Check for any exploit artifacts | CrowdStrike Falcon | No evidence of compromise; browser isolated |
| 3. User Interview | Contact user about browsing | Teams, Phone | User visited legitimate news site; no issues noticed |
| 4. URL Takedown | Report malicious domains | Threat Intel Team | Domains reported to registrars |
| 5. Blocking | Ensure all domains blocked | Zscaler, Palo Alto, Cisco Umbrella | Added all malicious domains to blocklists |
| 6. Threat Hunting | Check other users for same chain | Zscaler Logs, Splunk | No other users accessed the same chain |
Jira Incident Report
Ticket: SOC-2024-057
Summary: T1189 – Drive-by Compromise Attempt via Compromised News Site
Status: RESOLVED
Resolution: MALICIOUS – Blocked Before Exploit
Priority: P2 – MEDIUM
Labels: T1189, drive-by, exploit-kit, zscaler, compromised-site
Components: Web-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Zscaler Internet Access + Cloud Sandbox.
- Alert: “Drive-by Compromise – Exploit Kit Activity”.
- User: rsmith@company.com (Sales Department).
- Time: 2024-02-11 14:22 EST.
- Technique: MITRE ATT&CK T1189 – Drive-by Compromise.
2. Technical Analysis:
- Attack Chain:
1. Legitimate news site: news-daily[.]com (compromised)
2. Malicious ad script: ads-traffic[.]net/script.js (injected via ad network)
3. Exploit kit landing page: exploit-kit[.]xyz/landing
4. Browser exploit: malicious-cdn[.]net/exploit.html
- Exploit Kit:
- Type: Fallout Exploit Kit
- Targeted Browsers: Internet Explorer, Chrome, Edge
- CVEs Attempted: CVE-2023-1234, CVE-2023-5678, CVE-2024-1111
- Payload: Would have delivered Cobalt Strike if successful
- User Activity:
- User visited news-daily.com at 14:18 for legitimate news reading
- Redirect chain triggered by malicious ad
- Zscaler blocked the exploit kit landing page (category: Malware)
- No exploit code reached browser
- Infrastructure Analysis:
- news-daily.com confirmed compromised (injected JavaScript)
- ads-traffic.net known malicious ad network
- exploit-kit.xyz registered 2 days ago
- All domains hosted on bulletproof hosting
3. Investigation Findings:
- Timeline:
14:18 – User visits news-daily.com
14:19 – Malicious ad script loads from ads-traffic.net
14:20 – Redirect to exploit-kit.xyz
14:20 – Zscaler blocks exploit-kit.xyz (category: Malware)
14:22 – Zscaler alert generated
14:25 – SOC investigation begins
- Indicators of Compromise (IoCs):
Domains:
– news-daily[.]com (compromised, now cleaned)
– ads-traffic[.]net
– exploit-kit[.]xyz
– malicious-cdn[.]net
URLs:
– hxxp://news-daily[.]com/article/7842
– hxxp://ads-traffic[.]net/script.js
– hxxps://exploit-kit[.]xyz/landing
– hxxps://malicious-cdn[.]net/exploit.html
4. Containment Actions:
- Immediate Actions:
- All malicious domains added to Zscaler, Palo Alto, and Cisco Umbrella blocklists.
- Reported compromised news site to its hosting provider.
- Scanned user endpoint (no compromise).
- User Communication:
- User informed of drive-by attempt; no action needed.
- Reminder to keep browsers updated.
5. Root Cause Analysis:
- Primary Cause: Compromised news site with malicious ad injection.
- Contributing Factors: User visited legitimate site; ad network security weak.
6. Business Impact: None – exploit blocked before execution.
7. Remediation & Prevention:
Completed Actions:
IOCs blocked.
Compromised site reported.
User notified.
Prevention Enhancements:
Enhanced Zscaler policies to block known exploit kit domains.
Updated browser security settings via GPO.
8. Conclusion:
This incident involved a drive-by compromise attempt via a compromised news site. Zscaler blocked the exploit kit landing page, preventing any exploit from reaching the user’s browser. No compromise occurred.
Closure Rationale: Exploit blocked; user safe; domains added to blocklists.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 15:00 EST