Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

mlloyd99577 — Fri, 14 Feb 2025 17:53:04 GMT

Good morning!

While browsing one of the ISC2 websites https://my.isc2[dot]org/ or https://learn.isc2[dot]org/ from my work computer, one for our security detection systems alerted us to the following:

-----------------------------------------------------------------------------------------------------------------------------

On February 14, 2025, at 5:11:16 PM UTC, an internal network source IP "XXX.XXX.XXX.XXX" attempted to download an executable file named "lti.exe" from the domain "isc2-org2.meets.cirqlive[dot]com" via the URL "hxxps://isc2-org2.meets.cirqlive[dot]com/lti.exe". The destination IP for this transfer was "172.104.22.159", located in Cedar Knolls, New Jersey, United States.

## ANALYSIS:
__________________________________________
The investigation revealed an attempt to download an executable file ("lti.exe") from the root directory of the domain "isc2-org2.meets.cirqlive[dot]com" using an internal IP address "XXX.XXX.XXX.XXX". This download was permitted through the network firewall and categorized under the "XXXXXX Custom Category". The use of the POST method for this download can sometimes be indicative of attempts to camouflage malicious activity within legitimate traffic.

Despite an extensive search for threat intelligence on the involved artifacts, including the domain, IP addresses, and specific URL, no malicious activity was detected. The domain "isc2-org2.meets.cirqlive[dot]com" was classified as neutral, with no history of malware or infections, and is associated with legitimate sectors like education and information technology. The source IP "XXX.XXX.XXX.XXX" also showed no signs of malicious activity or abuse reports. Additionally, there were no historical incidents or artifacts linking the file "lti.exe" to any known malicious activities.

## RECOMMENDATION:
__________________________________________
- Verify the legitimacy of the "lti.exe" file at "hxxps://isc2-org2.meets.cirqlive[dot]com/lti.exe" to determine if the download was expected and authorized.
- If the download is found to be unauthorized or suspicious, block the domain "isc2-org2.meets.cirqlive[dot]com" to prevent any potential malicious activities.

---------------------------------------------------------------------------------------------------------------

What is going on ISC2?! This is substandard for a security vendor.

VR,

Micah

CISSP #431532

Re: Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

nkeaton — Fri, 14 Feb 2025 19:13:58 GMT

Interesting and scary. One of the recent posts had a LinkedIn url. My work computer lit up like a Christmas tree. It did not have a lot of detail but definitely blocked it from my. I then verified that could still get to LinkedIn in case was a very recent change. No issue there. Concerning but not enough detail to say why it blocked it.

Re: Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

dcontesti — Fri, 14 Feb 2025 23:05:31 GMT

Micah,

Thanks for sharing, but have you reported to ISC2 management. They are best suited to review and comment.

I am tagging @mariatirado such that she can circulate to the right folk internally.

topic Re: Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com in Threats

Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

Re: Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

Re: Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com