Operation: House of Cards

Article from June 2017

World Wide Risk Update

We are seeing a very advanced intrusion attempt and campaign going on on our website, systems and at some customers and friends (we also assume this is targeting multiple cyber security companies as well). It appears to be at the  Nation-State level and very good tools and attempts are being used that are at the very least coordinated and thought out. We are currently collecting lots of data which is being collected and backed  up for forensics later on. We are seeing IPs from US, India, China, Brasil, Russia, Germany, France in these attacks that are both IP based that target various specific apps and specific attack vectors. The campaign  also includes AWS resources, MSNbot, Googlebot, Yandex and Baidu as well as what looks like coordinated Phishing attempts with multiple payloads as pdf, MSOffice files.

A trend can be seen to how the attackers first map out the target and search for about us and other details of the company members (we don’t publish our team and the listed address is not the actual company / for exactly this reason). We then see attempts to upload various payloads into areas not normally seen in other attacks an then coordinated phishing attempts that also leverage any and all social media and other online resources. Phishing attempts have picked up ever since we started to publish information on recent attacks and have been picking up over the last few days to much higher levels. Many phishing attempts are flagged domains but some are new and fresh. Since most “cyber” security companies keep their suffered attacks secret, we assume this is either targeted at us or at a dedicated group of companies engaged in APT and Risk research. We encourage anyone to come forward with details of similar activities so that we can coordinate with the appropriate teams.

(Update with some more details)

Attacks that we have seen over 7 Days shows a picture of the following IP’s and Countries including nr of attempts:

IPCountryBlock Count
90.63.196.129France52
94.177.250.64United Kingdom49
162.158.65.109United States17
144.217.76.194Canada12
138.197.96.236United States12
91.65.244.140Germany10
104.237.157.171United States10
159.203.93.120United States9
193.34.145.202Germany7
91.196.50.33Poland7
103.237.145.12Vietnam5
185.60.227.5Turkey5
162.158.91.116Germany5
180.76.15.24China4
186.200.181.210Brazil4
191.181.124.53Brazil4
189.100.85.125Brazil4
170.0.236.103Brazil3
162.158.46.85India3
180.76.15.27China3
106.3.137.174China3
180.76.15.160China3
153.92.39.199United States3
80.142.120.252Germany3
175.152.30.210China2
180.76.15.155China2
180.76.15.19China2
183.131.83.53China2
77.186.122.48Germany2
106.45.1.66China2
187.94.98.38Brazil2
213.208.155.197Austria2
111.121.193.254China2
185.100.87.57Romania2
47.74.0.109Japan2
187.64.126.217Brazil2
180.76.15.7China2
180.76.15.134China2
180.76.15.158China2
187.38.7.27Brazil2
91.189.36.109Poland1
106.75.104.14China1
180.76.15.143China1
184.105.139.67United States1
79.137.85.189Italy1
187.190.212.207Mexico1
218.93.201.202China1
180.76.15.32China1
118.89.165.145China1
31.210.102.114Turkey1
106.75.101.163China1
180.76.15.142China1
141.8.143.227United States1
187.133.241.225Mexico1
218.93.201.199China1
100.43.85.9United States1
180.76.15.28China1
116.98.226.221Vietnam1
180.76.15.153China1
186.91.240.119Venezuela1
191.101.103.204Germany1
180.76.15.18China1
180.76.15.140China1
139.162.108.53Japan1
183.82.120.86India1
61.160.212.14China1
169.229.3.91United States1
180.76.15.151China1
85.14.250.137Germany1
180.76.15.15China1
190.129.35.244Bolivia1
180.76.15.136China1
163.172.174.60France1
195.202.47.16Germany1
180.76.15.25China1
109.225.41.161Russian Federation1
180.76.15.146China1
119.23.241.46China1
37.61.211.33Germany1

When we however take a look at the last 24 hours, we see a very different picture:

144.217.76.194CanadaCanada12
103.237.145.12VietnamVietnam5
180.76.15.134ChinaChina2
187.38.7.27BrazilBrazil2
91.196.50.33PolandPoland2
186.200.181.210BrazilBrazil2
111.121.193.254ChinaChina2
193.34.145.202GermanyGermany2
180.76.15.24ChinaChina2
187.94.98.38BrazilBrazil2
47.74.0.109JapanJapan2
141.8.143.227United StatesUnited States1
100.43.85.9United StatesUnited States1
180.76.15.7ChinaChina1
37.61.211.33GermanyGermany1
139.162.108.53JapanJapan1
180.76.15.32ChinaChina1
218.93.201.202ChinaChina1
169.229.3.91United StatesUnited States1
180.76.15.28ChinaChina1
91.189.36.109PolandPoland1
162.158.91.116GermanyGermany1
184.105.139.67United StatesUnited States1
109.225.41.161Russian FederationRussian Federation1
180.76.15.27ChinaChina1
187.190.212.207MexicoMexico1
61.160.212.14ChinaChina1
180.76.15.153ChinaChina1

We are currently tracking more than 3000 new and unique IPs involving various attacks on this website and other sensors are picking up similar traffic for WordPress sites that include some big names:

  1. baidu.com / CN
  2. yandex.com /RU/USA
  3. biz.rr.com
  4. linode.com
  5. Greendata.pl
  6. onmicrosoft.com

We are coordinating additives with Microsoft and currently tracking multiple IPs and collected traffic for forensics. We would like to thank in this case Microsoft Security for reaching out to us so that we can help protect any effected Microsoft customers that are currently using Azure, Outlook, Office 365, etc. (Thanks Guys and Gals!)

What can you do?

We have a few things, this data highlights the reason why we talk about Risk Intelligence all the time and proactive security teams as well as methodologies. We work on data that are indicators of (potential) threats so that teams don’t have to scramble during an attack to find needles in haystacks. We save time, money and a huge amount of costs by using our own dogfood (CyberNSight, NeedleStack -TM HDN2017).

  1. If you have domains that send you email that are from onmicrosoft.com or other official looking domains please be careful. Phishing emails with new payloads that are not getting picked up by email security appliances or Firewalls / UTMS are going around. Delete those emails!
  2. If you see any DNS or Domains with similar names that yours, flag it, try to register those domains to stop tampering.
  3. If you see internal emails going out to “weird IPs or connections” please flag those and block those addresses at your UTM/Firewall.
  4. Integrate our Risk Intelligence into your systems for correlation.
  5. Capture header information of emails you don’t know, send them to us (if you have no security audit services) We will look through the headers, review our current tracking lists and let you know what to do.

We hope you enjoyed another post, we will do the next one on owning routers and permitter devices using a nice little tool that we found in our darknet searches.

Until the next time, you saw it here first at Hakdefnet!

Mike

(The info, intelligence and any data on this post or website are copyright and TM Hakdefnet 2017, no copying, pictures, etc without referencing us and giving us credit for the data and reports -Please) 

Share the Post:

Related Posts