BITS Downloading App updates from unknown endpoint

%3CLINGO-SUB%20id%3D%22lingo-sub-2773375%22%20slang%3D%22en-US%22%3EBITS%20Downloading%20App%20updates%20from%20unknown%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2773375%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20IDS%20started%20freaking%20out%20today%20because%20a%20large%20number%20of%20our%20endpoints%20started%20initiating%20BITS%20downloads%20to%20an%20unknown%20endpoint.%20My%20initial%20reaction%20was%20ransomware%2C%20but%20after%20further%20investigation%20it%20appears%20that%20these%20BITS%20downloads%20are%20updates%20for%20Windows%20Store%20Apps.%20I%20am%20making%20this%20post%20to%20confirm%20that%20these%20endpoints%20are%20actually%20indeed%20official%20Microsoft%20endpoints.%20The%20BITS%20requests%20I%20had%20seen%20were%20all%20for%20the%20Limelight%20Networks%20CDN%20(%3CEM%3Ellnwd%5B.%5Dnet%3C%2FEM%3E)%2C%20which%20I%20have%20heard%20hosts%20content%20for%20a%20lot%20of%20MSPs%2C%20one%20of%20which%20being%20Microsoft.%3C%2FP%3E%3CP%3EChecking%20the%20logs%2C%20it%20appears%20that%20our%20workstations%20have%20never%20made%20BITS%20requests%20to%20this%20CDN.%20All%20previous%20BITS%20updates%20were%20carried%20out%20using%20official%26nbsp%3B%3CEM%3Emicrosoft.com%26nbsp%3B%3C%2FEM%3Eendpoints.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20following%20are%20some%20examples%20of%20the%20domains%20seen%20in%20the%20BITS%20requests%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3Eic-c39e4900-0f7065-msftstoretlu19.s.loris.llnwd%5B.%5Dnet%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3Eic-c39e4900-0d5ab5-msftstore19.s.loris.llnwd%5B.%5Dnet%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSPAN%20class%3D%22%22%3Eic-c39e4900-08b3f9-msftstore19.s.loris.llnwd%5B.%5Dnet%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CSPAN%20class%3D%22%22%3Eic-c39e4900-0700f8-msftstore19.s.loris.llnwd%5B.%5Dnet%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%20all%20my%20investigations%20point%20to%20these%20being%20official%20Microsoft%20endpoints%2C%20I%20am%20worried%20that%20a%20CDN%20is%20being%20used%20because%20a%20malicious%20actor%20could%20easily%20mangle%20the%20URLs%20to%20make%20them%20look%20like%20official%20Microsoft%20ones.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20the%20correct%20place%20to%20confirm%20that%20the%20above%20sub-domains%20are%20official%20Microsoft%2C%20and%20if%20not%20where%20should%20I%20ask%20this%20question%20instead%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2778032%22%20slang%3D%22en-US%22%3ERe%3A%20BITS%20Downloading%20App%20updates%20from%20unknown%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2778032%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F147464%22%20target%3D%22_blank%22%3E%40Maximilian%20Demajo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20-%20My%20IDS%20went%20off%20with%20the%20same%20alerts.%26nbsp%3B%20I'm%20still%20looking%20into%20the%20root%20cause%20-%20will%20check%20for%20Store%20apps%20across%20my%20network.%26nbsp%3B%20Thanks%20for%20starting%20this%20thread.%20Jason.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

Our IDS started freaking out today because a large number of our endpoints started initiating BITS downloads to an unknown endpoint. My initial reaction was ransomware, but after further investigation it appears that these BITS downloads are updates for Windows Store Apps. I am making this post to confirm that these endpoints are actually indeed official Microsoft endpoints. The BITS requests I had seen were all for the Limelight Networks CDN (llnwd[.]net), which I have heard hosts content for a lot of MSPs, one of which being Microsoft.

Checking the logs, it appears that our workstations have never made BITS requests to this CDN. All previous BITS updates were carried out using official microsoft.com endpoints. 

 

The following are some examples of the domains seen in the BITS requests:

  • ic-c39e4900-0f7065-msftstoretlu19.s.loris.llnwd[.]net
  • ic-c39e4900-0d5ab5-msftstore19.s.loris.llnwd[.]net
  • ic-c39e4900-08b3f9-msftstore19.s.loris.llnwd[.]net
  • ic-c39e4900-0700f8-msftstore19.s.loris.llnwd[.]net

 

Although all my investigations point to these being official Microsoft endpoints, I am worried that a CDN is being used because a malicious actor could easily mangle the URLs to make them look like official Microsoft ones. 

 

Is this the correct place to confirm that the above sub-domains are official Microsoft, and if not where should I ask this question instead?

 

Thanks

3 Replies

@Maximilian Demajo 

 

Hi - My IDS went off with the same alerts.  I'm still looking into the root cause - will check for Store apps across my network.  Thanks for starting this thread. Jason.

I found this - which appears to be a list of all the endpoints Windows 10 20H2  talks to ..

 

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints

 

But if you read how they got this list, you realise Microsoft don't actually know all the endpoints they use - this was just someone in MS with a network scanner.

 

J.

<--

The following methodology was used to derive these network endpoints:

  1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
  2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
  3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
  4. Compile reports on traffic going to public IP addresses.
  5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
  6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
  7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
  8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.

-->

 

 

@JasonC2021 Thanks for checking this out. It appears that article does not contain any of the endpoints we are seeing, although it is dated. Unfortunate that they do not keep a complete list of contacted endpoints.

 

Have you noticed any further strange activity stemming from your devices since this started happening?

 

A bit worrying that I have not seen any further mention of these endpoints online

www.000webhost.com