This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CP-NDA
Collaborator
‎2021-01-13 07:18 AM

AdBlock & IPS - Multiple Websites Mine Cryptocurrencies CPU Hijacking

Hi All,

 

Since a few weeks it's seems that Adblock updates are recognized as Multiple Websites Mine Cryptocurrencies CPU Hijacking by TP

Did you already had same behaviour ?

 

Time: 2021-01-13T13:30:17Z
Interface Direction: inbound
Threat Prevention Policy Date:2021-01-13T04:05:23Z
Source Port: 62680
Destination Country: United States
Destination: 104.22.66.219
Destination Port: 443
IP Protocol: 6
Session Identification Number:0x5ffef5e9,0x2a,0x9149db70,0xe25c3ad1
Policy Rule UID: 840ff45c-3225-47ab-af3d-3c11e18b4b9a
Threat Prevention Rule Id: 63785ED7-4343-4087-BC81-2D07DA2AD779
Reject Id Kid: 5ffef5e9-29-9149db70-e25c3ad1
Ser Agent Kid: Chrome
Action: Prevent
Type: Log
Policy Date: 2021-01-13T09:12:49Z
Blade: IPS
Service: TCP/443
Product Family: Threat
Action: Inspect
Resource: https://filters.adtidy.org/extension/ublock/filters/16.txt?_=1
Duplicated: 1
Index Time: 2021-01-13T13:31:18Z
Lastupdateseqnum: 85
Attack Name: Web Server Enforcement Violation
Attack Information: Multiple Websites Mine Cryptocurrencies CPU Hijacking
Protection Name: Multiple Websites Mine Cryptocurrencies CPU Hijacking
Protection ID: asm_dynamic_prop_MINE_CPU_HIJACK
Severity: Critical
Confidence Level: Medium
Performance Impact: Medium
Protection Type: IPS
Description Url: MINE_CPU_HIJACK_help.html
Suppressed Logs: 1
Sent Bytes: 1610
Received Bytes: 25470
Bytes (sent\received): 1.6 KB \ 24.9 KB

 

Thank you

Nicolas

Labels
0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-01-13 07:26 AM

Did you already point this out to TAC in a Content Classification Service Request ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CP-NDA
Collaborator
‎2021-01-13 07:29 AM
In response to G_W_Albrecht

Hi,

I tried but they forwarded me to a long and annoying SK... sk98820.

We have the same behaviour in multiple infra so I guess we are not the only one to have this false positive. 

They didn't accept to try a reproduction in lab 😞

 

 

0 Kudos
Sprunknwn
Employee
Employee
‎2021-01-17 04:16 AM
In response to CP-NDA

Hey Nicolas,

 

Can you also provide the TAC ticket number you opened?

 

Thanks,

Hertsel

0 Kudos
osef
Contributor
‎2021-01-15 06:27 AM

I've the exact same problem...

0 Kudos
Sprunknwn
Employee
Employee
‎2021-01-17 04:06 AM

Hi Nicolas,

 

Thank you for bringing this to our attention.

Can you please elaborate in regards to which versions are you using and which AdBlock? Are we talking the original getadblock.com Chrome extension?

Or the adblockplus.org ?

Which versions did you experience this behavior on and which IPS db version?

 

Thanks,

Hertsel

0 Kudos
Sprunknwn
Employee
Employee
‎2021-01-17 05:05 AM
In response to Sprunknwn

Just wanted to update that it did replicate on my R81 environment quite easily. We are currently checking this internally.

 

Thanks,

Hertsel

0 Kudos
Shiran_Gold
Employee
Employee
‎2021-01-17 10:41 AM

Thanks @Sprunknwn  for quick replication which helped understand the behavior.

 

Hey Nicolas,

Following replication performed and further investigation, we can see that the protection identifies TP as expected.

the original page links to additional pages and one of those pages includes a link to a miner that is prevented from being downloaded by IPS.

 

If there is still missing information feel free to contact me here or offline.

 

Thanks

Shiran


 

 

CP-NDA
Collaborator
‎2021-01-17 10:57 AM
In response to Shiran_Gold

Hi Shiran,

Thank you for the feedback really happy to see that it has been handled so quickly ! Thank you @Sprunknwn for your help on this!

I'm really curious to see which link is considered as a miner. We thought that it were clearly a false positive so if you can share that info I will try to double check on different infra to confirm

Thanks again

Nicolas

Shiran_Gold
Employee
Employee
‎2021-01-18 12:04 AM
In response to CP-NDA

Hey Nicolas,

 

In general, signature logic is confidential and isn't shared publicly, in order to assist in this specific case, we'll take it offline directly with you.

I sent you a private message.

 

thanks

Shiran

 

0 Kudos
spottex
Collaborator
‎2021-01-20 11:37 AM
In response to Shiran_Gold

Ummm... This information would be useful to all!

I.e. The add block company and the URL.

I see one has links to info about mining. One of these wouldn't be it would it?

https://getadblock.com/cryptocurrency-mining/ 

or this one

https://help.getadblock.com/support/solutions/articles/6000192472-adblock-and-authedmine-com-cryptoc... 

0 Kudos
Shiran_Gold
Employee
Employee
‎2021-01-21 10:13 AM
In response to spottex

Check Point's protection logic is confidential and therefore cannot be shared.
When a specific question arise such as the above, we are working with the customer offline to understand the behavior and assist getting the relevant answer for each individual case.

0 Kudos
spottex
Collaborator
‎2021-01-21 11:21 AM
In response to Shiran_Gold

Are you talking about the proprietary logic used or the result of the logic?

The statement you have already posted gives away more about the logic than the information I'm asking

i.e. " the original page links to additional pages and one of those pages includes a link to a miner that is prevented from being downloaded by IPS"

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events