Zscaler Alert Details
Alert ID: ZSCALER-DRIVEBY-7842
Alert Time: 2024-02-11 14:22:35 EST
Severity: HIGH (85/100)
Source: Zscaler Internet Access (ZIA) + Cloud Sandbox
Rule: “Drive-by Compromise – Exploit Kit Activity”
MITRE ATT&CK: T1189 – Drive-by Compromise
Alert Details:
Transaction Details:
– User: rsmith@company.com (Robert Smith, Sales)
– Device: SLS-WS-089 (Windows 10)
– Time: 14:18-14:22 EST
– Action: BLOCKED (Advanced Threat Protection + Sandbox)
URL Chain:
1. hxxp://news-daily[.]com/article/7842 (Compromised news site)
2. hxxp://ads-traffic[.]net/script.js (Malicious ad)
3. hxxps://exploit-kit[.]xyz/landing (Exploit kit landing page)
4. hxxps://malicious-cdn[.]net/exploit.html (Browser exploit)
Threat Analysis:
– Site Category: Compromised News/Entertainment
– Exploit Kit: Fallout Exploit Kit (detected)
– Exploits Attempted:
– CVE-2023-1234 (Internet Explorer)
– CVE-2023-5678 (Chrome)
– CVE-2024-1111 (Edge)
– Sandbox Detection: Malicious redirect chain, heap spray attempts
Additional Context:
– User visited legitimate news site that was compromised
– Malicious ad injected via compromised ad network
– Zscaler blocked exploit kit landing page (category: Malware)
– No payload downloaded; block occurred before exploit delivery
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler threat analysis
Zscaler Admin Console
Confirmed exploit kit activity blocked
2. Endpoint Check
Check for any exploit artifacts
CrowdStrike Falcon
No evidence of compromise; browser isolated
3. User Interview
Contact user about browsing
Teams, Phone
User visited legitimate news site; no issues noticed
4. URL Takedown
Report malicious domains
Threat Intel Team
Domains reported to registrars
5. Blocking
Ensure all domains blocked
Zscaler, Palo Alto, Cisco Umbrella
Added all malicious domains to blocklists
6. Threat Hunting
Check other users for same chain
Zscaler Logs, Splunk
No other users accessed the same chain
Jira Incident Report
Ticket: SOC-2024-057
Summary: T1189 – Drive-by Compromise Attempt via Compromised News Site
Status: RESOLVED
Resolution: MALICIOUS – Blocked Before Exploit
Priority: P2 – MEDIUM
Labels: T1189, drive-by, exploit-kit, zscaler, compromised-site
Components: Web-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access + Cloud Sandbox.
Alert: “Drive-by Compromise – Exploit Kit Activity”.
User: rsmith@company.com (Sales Department).
Time: 2024-02-11 14:22 EST.
Technique: MITRE ATT&CK T1189 – Drive-by Compromise.
2. Technical Analysis:
Attack Chain:
1. Legitimate news site: news-daily[.]com (compromised)
2. Malicious ad script: ads-traffic[.]net/script.js (injected via ad network)
3. Exploit kit landing page: exploit-kit[.]xyz/landing
4. Browser exploit: malicious-cdn[.]net/exploit.html
Exploit Kit:
Type: Fallout Exploit Kit
Targeted Browsers: Internet Explorer, Chrome, Edge
CVEs Attempted: CVE-2023-1234, CVE-2023-5678, CVE-2024-1111
Payload: Would have delivered Cobalt Strike if successful
User Activity:
User visited news-daily.com at 14:18 for legitimate news reading
Redirect chain triggered by malicious ad
Zscaler blocked the exploit kit landing page (category: Malware)
No exploit code reached browser
Infrastructure Analysis:
news-daily.com confirmed compromised (injected JavaScript)
ads-traffic.net known malicious ad network
exploit-kit.xyz registered 2 days ago
All domains hosted on bulletproof hosting
3. Investigation Findings:
Timeline:
14:18 – User visits news-daily.com
14:19 – Malicious ad script loads from ads-traffic.net
14:20 – Redirect to exploit-kit.xyz
14:20 – Zscaler blocks exploit-kit.xyz (category: Malware)
14:22 – Zscaler alert generated
14:25 – SOC investigation begins
Indicators of Compromise (IoCs):
Domains:
– news-daily[.]com (compromised, now cleaned)
– ads-traffic[.]net
– exploit-kit[.]xyz
– malicious-cdn[.]net
URLs:
– hxxp://news-daily[.]com/article/7842
– hxxp://ads-traffic[.]net/script.js
– hxxps://exploit-kit[.]xyz/landing
– hxxps://malicious-cdn[.]net/exploit.html
4. Containment Actions:
Immediate Actions:
All malicious domains added to Zscaler, Palo Alto, and Cisco Umbrella blocklists.
Reported compromised news site to its hosting provider.
Scanned user endpoint (no compromise).
User Communication:
User informed of drive-by attempt; no action needed.
Reminder to keep browsers updated.
5. Root Cause Analysis:
Primary Cause: Compromised news site with malicious ad injection.
Contributing Factors: User visited legitimate site; ad network security weak.
6. Business Impact: None – exploit blocked before execution.
7. Remediation & Prevention:
Completed Actions:
IOCs blocked.
Compromised site reported.
User notified.
Prevention Enhancements:
Enhanced Zscaler policies to block known exploit kit domains.
Updated browser security settings via GPO.
8. Conclusion:
This incident involved a drive-by compromise attempt via a compromised news site. Zscaler blocked the exploit kit landing page, preventing any exploit from reaching the user’s browser. No compromise occurred.
Closure Rationale: Exploit blocked; user safe; domains added to blocklists.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 15:00 EST