Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlloyd99577
Viewer III
Friday
Friday

Executable File Download from Root Directory on isc2-org2.meets.cirqlive[dot]com

Good morning!   

 

While browsing one of the ISC2 websites https://my.isc2[dot]org/ or https://learn.isc2[dot]org/ from my work computer, one for our security detection systems alerted us to the following:

 

-----------------------------------------------------------------------------------------------------------------------------

On February 14, 2025, at 5:11:16 PM UTC, an internal network source IP "XXX.XXX.XXX.XXX" attempted to download an executable file named "lti.exe" from the domain "isc2-org2.meets.cirqlive[dot]com" via the URL "hxxps://isc2-org2.meets.cirqlive[dot]com/lti.exe". The destination IP for this transfer was "172.104.22.159", located in Cedar Knolls, New Jersey, United States.

## ANALYSIS:
__________________________________________
The investigation revealed an attempt to download an executable file ("lti.exe") from the root directory of the domain "isc2-org2.meets.cirqlive[dot]com" using an internal IP address "XXX.XXX.XXX.XXX". This download was permitted through the network firewall and categorized under the "XXXXXX Custom Category". The use of the POST method for this download can sometimes be indicative of attempts to camouflage malicious activity within legitimate traffic.

Despite an extensive search for threat intelligence on the involved artifacts, including the domain, IP addresses, and specific URL, no malicious activity was detected. The domain "isc2-org2.meets.cirqlive[dot]com" was classified as neutral, with no history of malware or infections, and is associated with legitimate sectors like education and information technology. The source IP "XXX.XXX.XXX.XXX" also showed no signs of malicious activity or abuse reports. Additionally, there were no historical incidents or artifacts linking the file "lti.exe" to any known malicious activities.

## RECOMMENDATION:
__________________________________________
- Verify the legitimacy of the "lti.exe" file at "hxxps://isc2-org2.meets.cirqlive[dot]com/lti.exe" to determine if the download was expected and authorized.
- If the download is found to be unauthorized or suspicious, block the domain "isc2-org2.meets.cirqlive[dot]com" to prevent any potential malicious activities.

 

---------------------------------------------------------------------------------------------------------------

 

 

What is going on ISC2?!   This is substandard for a security vendor. 

 

VR,

Micah 

CISSP #431532

 

Reply
2 Replies
nkeaton
Contributor II
Friday
Friday

Interesting and scary.  One of the recent posts had a LinkedIn url.  My work computer lit up like a Christmas tree.  It did not have a lot of detail but definitely blocked it from my.  I then verified that could still get to LinkedIn in case was a very recent change.  No issue there.  Concerning but not enough detail to say why it blocked it.  

Reply
0 Kudos
dcontesti
Community Champion
Friday
Friday

Micah,

 

Thanks for sharing, but have you reported to ISC2 management.  They are best suited to review and comment.

 

I am tagging @mariatirado such that she can circulate to the right folk internally.

 

d

 

Reply