World Wide Risk Update

We are seeing a very advanced intrusion attempt and campaign going on on our website, systems and at some customers and friends (we also assume this is targeting multiple cyber security companies as well). It appears to be at the  Nation-State level and very good tools and attempts are being used that are at the very least coordinated and thought out. We are currently collecting lots of data which is being collected and backed  up for forensics later on. We are seeing IPs from US, India, China, Brasil, Russia, Germany, France in these attacks that are both IP based that target various specific apps and specific attack vectors. The campaign  also includes AWS resources, MSNbot, Googlebot, Yandex and Baidu as well as what looks like coordinated Phishing attempts with multiple payloads as pdf, MSOffice files.

A trend can be seen to how the attackers first map out the target and search for about us and other details of the company members (we don’t publish our team and the listed address is not the actual company / for exactly this reason). We then see attempts to upload various payloads into areas not normally seen in other attacks an then coordinated phishing attempts that also leverage any and all social media and other online resources. Phishing attempts have picked up ever since we started to publish information on recent attacks and have been picking up over the last few days to much higher levels. Many phishing attempts are flagged domains but some are new and fresh. Since most “cyber” security companies keep their suffered attacks secret, we assume this is either targeted at us or at a dedicated group of companies engaged in APT and Risk research. We encourage anyone to come forward with details of similar activities so that we can coordinate with the appropriate teams.

(Update with some more details)

Attacks that we have seen over 7 Days shows a picture of the following IP’s and Countries including nr of attempts:

IP Country Block Count
90.63.196.129 France
52
94.177.250.64 United Kingdom
49
162.158.65.109 United States
17
144.217.76.194 Canada
12
138.197.96.236 United States
12
91.65.244.140 Germany
10
104.237.157.171 United States
10
159.203.93.120 United States
9
193.34.145.202 Germany
7
91.196.50.33 Poland
7
103.237.145.12 Vietnam
5
185.60.227.5 Turkey
5
162.158.91.116 Germany
5
180.76.15.24 China
4
186.200.181.210 Brazil
4
191.181.124.53 Brazil
4
189.100.85.125 Brazil
4
170.0.236.103 Brazil
3
162.158.46.85 India
3
180.76.15.27 China
3
106.3.137.174 China
3
180.76.15.160 China
3
153.92.39.199 United States
3
80.142.120.252 Germany
3
175.152.30.210 China
2
180.76.15.155 China
2
180.76.15.19 China
2
183.131.83.53 China
2
77.186.122.48 Germany
2
106.45.1.66 China
2
187.94.98.38 Brazil
2
213.208.155.197 Austria
2
111.121.193.254 China
2
185.100.87.57 Romania
2
47.74.0.109 Japan
2
187.64.126.217 Brazil
2
180.76.15.7 China
2
180.76.15.134 China
2
180.76.15.158 China
2
187.38.7.27 Brazil
2
91.189.36.109 Poland
1
106.75.104.14 China
1
180.76.15.143 China
1
184.105.139.67 United States
1
79.137.85.189 Italy
1
187.190.212.207 Mexico
1
218.93.201.202 China
1
180.76.15.32 China
1
118.89.165.145 China
1
31.210.102.114 Turkey
1
106.75.101.163 China
1
180.76.15.142 China
1
141.8.143.227 United States
1
187.133.241.225 Mexico
1
218.93.201.199 China
1
100.43.85.9 United States
1
180.76.15.28 China
1
116.98.226.221 Vietnam
1
180.76.15.153 China
1
186.91.240.119 Venezuela
1
191.101.103.204 Germany
1
180.76.15.18 China
1
180.76.15.140 China
1
139.162.108.53 Japan
1
183.82.120.86 India
1
61.160.212.14 China
1
169.229.3.91 United States
1
180.76.15.151 China
1
85.14.250.137 Germany
1
180.76.15.15 China
1
190.129.35.244 Bolivia
1
180.76.15.136 China
1
163.172.174.60 France
1
195.202.47.16 Germany
1
180.76.15.25 China
1
109.225.41.161 Russian Federation
1
180.76.15.146 China
1
119.23.241.46 China
1
37.61.211.33 Germany
1

When we however take a look at the last 24 hours, we see a very different picture:

144.217.76.194 Canada Canada 12
103.237.145.12 Vietnam Vietnam 5
180.76.15.134 China China 2
187.38.7.27 Brazil Brazil 2
91.196.50.33 Poland Poland 2
186.200.181.210 Brazil Brazil 2
111.121.193.254 China China 2
193.34.145.202 Germany Germany 2
180.76.15.24 China China 2
187.94.98.38 Brazil Brazil 2
47.74.0.109 Japan Japan 2
141.8.143.227 United States United States 1
100.43.85.9 United States United States 1
180.76.15.7 China China 1
37.61.211.33 Germany Germany 1
139.162.108.53 Japan Japan 1
180.76.15.32 China China 1
218.93.201.202 China China 1
169.229.3.91 United States United States 1
180.76.15.28 China China 1
91.189.36.109 Poland Poland 1
162.158.91.116 Germany Germany 1
184.105.139.67 United States United States 1
109.225.41.161 Russian Federation Russian Federation 1
180.76.15.27 China China 1
187.190.212.207 Mexico Mexico 1
61.160.212.14 China China 1
180.76.15.153 China China 1

We are currently tracking more than 3000 new and unique IPs involving various attacks on this website and other sensors are picking up similar traffic for WordPress sites that include some big names:

  1. baidu.com / CN
  2. yandex.com /RU/USA
  3. biz.rr.com
  4. linode.com
  5. Greendata.pl
  6. onmicrosoft.com

We are coordinating additives with Microsoft and currently tracking multiple IPs and collected traffic for forensics. We would like to thank in this case Microsoft Security for reaching out to us so that we can help protect any effected Microsoft customers that are currently using Azure, Outlook, Office 365, etc. (Thanks Guys and Gals!)

What can you do?

We have a few things, this data highlights the reason why we talk about Risk Intelligence all the time and proactive security teams as well as methodologies. We work on data that are indicators of (potential) threats so that teams don’t have to scramble during an attack to find needles in haystacks. We save time, money and a huge amount of costs by using our own dogfood (CyberNSight, NeedleStack -TM HDN2017).

  1. If you have domains that send you email that are from onmicrosoft.com or other official looking domains please be careful. Phishing emails with new payloads that are not getting picked up by email security appliances or Firewalls / UTMS are going around. Delete those emails!
  2. If you see any DNS or Domains with similar names that yours, flag it, try to register those domains to stop tampering.
  3. If you see internal emails going out to “weird IPs or connections” please flag those and block those addresses at your UTM/Firewall.
  4. Integrate our Risk Intelligence into your systems for correlation.
  5. Capture header information of emails you don’t know, send them to us (if you have no security audit services) We will look through the headers, review our current tracking lists and let you know what to do.

We hope you enjoyed another post, we will do the next one on owning routers and permitter devices using a nice little tool that we found in our darknet searches.

Until the next time, you saw it here first at Hakdefnet!

Mike

(The info, intelligence and any data on this post or website are copyright and TM Hakdefnet 2017, no copying, pictures, etc without referencing us and giving us credit for the data and reports -Please)