Further Put up Contributors: Mindy Schlueter
On June 11, the Cisco Dwell San Diego SOC obtained a Cisco XDR Incident triggered by two Cisco Safe Firewall occasions.
Each pointed to a Zeek detection: SNIFFPASS::HTTP_POST_Password_Seen. This can be a clear signal that credentials have been transmitted in unencrypted HTTP site visitors.
This detection is a purple flag: Usernames and passwords are being despatched in plaintext, making them straightforward targets for anybody monitoring the community. This sort of dangerous conduct is usually brought on by:
- Net apps utilizing HTTP as an alternative of HTTPS
- Customers logging into misconfigured or outdated web sites
- Legacy or IoT units nonetheless utilizing insecure protocols
Investigation Steps
- Community Context — The SOC rapidly recognized the supply: an endpoint on the participant’s Wi-Fi community.
- Deep Dive with Packet Seize — Pivoting from Cisco XDR to Endace, analysts reviewed the total packet seize (PCAP). The vacation spot? http://app[.]xxxxxxx[.]com[.]br, a backend endpoint utilized by a cellular app.
- App Identification — The HTTP headers included X-Requested-With: com.xxxx.promote. This pointed to a Brazilian property administration app obtainable on the Google Play Retailer.
- Scope of Publicity — Firewall logs revealed three endpoints on the Wi-Fi community had related to this insecure app. The PCAP confirmed usernames and passwords have been uncovered in cleartext.
Takeaway and Response
The core situation: A publicly obtainable cellular app (on each Android and iOS) makes use of unencrypted HTTP to transmit credentials. Whereas the site visitors wasn’t outright malicious, it posed a severe privateness threat.
Quite than block the site visitors, the SOC opted to coach the customers on the hazards of utilizing insecure apps — reinforcing the significance of encrypted communications.
Need to study extra about what we noticed at Cisco Dwell San Diego 2025? take a look at our fundamental weblog submit — Cisco Dwell San Diego 2025 SOC — and the remainder of our Cisco Dwell SOC content material.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
Share:
