Cisco Cloud Web Security DNS Hijack

Published: 2015-11-12
Last Updated: 2015-11-12 16:20:14 UTC
by Rick Wanner (Version: 1)
7 comment(s)

We have received a report that a domain critical in delivering the Cisco Cloud Web Security product had for a while earlier today been hijacked. The report indicates that the DNS entryies for scansafe.net were hijacked and pointed to 208.91.197.132, a site which both VirusTotal and Web of Trust indicate has a reputation for delivering malware. 

Guidance that has been provided to customers is that the issue has been resolved but that the TTL on the DNS entries are 48 hours so it will take a while for caches to clear.  In the meantime customers should should use the IP, not the FQDN to access the site.

If anyone has any further details please pass them our way.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
7 comment(s)
Diary Archives