Article from June 2017
World Wide Risk Update
We are seeing a very advanced intrusion attempt and campaign going on on our website, systems and at some customers and friends (we also assume this is targeting multiple cyber security companies as well). It appears to be at the Nation-State level and very good tools and attempts are being used that are at the very least coordinated and thought out. We are currently collecting lots of data which is being collected and backed up for forensics later on. We are seeing IPs from US, India, China, Brasil, Russia, Germany, France in these attacks that are both IP based that target various specific apps and specific attack vectors. The campaign also includes AWS resources, MSNbot, Googlebot, Yandex and Baidu as well as what looks like coordinated Phishing attempts with multiple payloads as pdf, MSOffice files.
A trend can be seen to how the attackers first map out the target and search for about us and other details of the company members (we don’t publish our team and the listed address is not the actual company / for exactly this reason). We then see attempts to upload various payloads into areas not normally seen in other attacks an then coordinated phishing attempts that also leverage any and all social media and other online resources. Phishing attempts have picked up ever since we started to publish information on recent attacks and have been picking up over the last few days to much higher levels. Many phishing attempts are flagged domains but some are new and fresh. Since most “cyber” security companies keep their suffered attacks secret, we assume this is either targeted at us or at a dedicated group of companies engaged in APT and Risk research. We encourage anyone to come forward with details of similar activities so that we can coordinate with the appropriate teams.
(Update with some more details)
Attacks that we have seen over 7 Days shows a picture of the following IP’s and Countries including nr of attempts:
IP | Country | Block Count | |
90.63.196.129 | France | 52 | |
94.177.250.64 | United Kingdom | 49 | |
162.158.65.109 | United States | 17 | |
144.217.76.194 | Canada | 12 | |
138.197.96.236 | United States | 12 | |
91.65.244.140 | Germany | 10 | |
104.237.157.171 | United States | 10 | |
159.203.93.120 | United States | 9 | |
193.34.145.202 | Germany | 7 | |
91.196.50.33 | Poland | 7 | |
103.237.145.12 | Vietnam | 5 | |
185.60.227.5 | Turkey | 5 | |
162.158.91.116 | Germany | 5 | |
180.76.15.24 | China | 4 | |
186.200.181.210 | Brazil | 4 | |
191.181.124.53 | Brazil | 4 | |
189.100.85.125 | Brazil | 4 | |
170.0.236.103 | Brazil | 3 | |
162.158.46.85 | India | 3 | |
180.76.15.27 | China | 3 | |
106.3.137.174 | China | 3 | |
180.76.15.160 | China | 3 | |
153.92.39.199 | United States | 3 | |
80.142.120.252 | Germany | 3 | |
175.152.30.210 | China | 2 | |
180.76.15.155 | China | 2 | |
180.76.15.19 | China | 2 | |
183.131.83.53 | China | 2 | |
77.186.122.48 | Germany | 2 | |
106.45.1.66 | China | 2 | |
187.94.98.38 | Brazil | 2 | |
213.208.155.197 | Austria | 2 | |
111.121.193.254 | China | 2 | |
185.100.87.57 | Romania | 2 | |
47.74.0.109 | Japan | 2 | |
187.64.126.217 | Brazil | 2 | |
180.76.15.7 | China | 2 | |
180.76.15.134 | China | 2 | |
180.76.15.158 | China | 2 | |
187.38.7.27 | Brazil | 2 | |
91.189.36.109 | Poland | 1 | |
106.75.104.14 | China | 1 | |
180.76.15.143 | China | 1 | |
184.105.139.67 | United States | 1 | |
79.137.85.189 | Italy | 1 | |
187.190.212.207 | Mexico | 1 | |
218.93.201.202 | China | 1 | |
180.76.15.32 | China | 1 | |
118.89.165.145 | China | 1 | |
31.210.102.114 | Turkey | 1 | |
106.75.101.163 | China | 1 | |
180.76.15.142 | China | 1 | |
141.8.143.227 | United States | 1 | |
187.133.241.225 | Mexico | 1 | |
218.93.201.199 | China | 1 | |
100.43.85.9 | United States | 1 | |
180.76.15.28 | China | 1 | |
116.98.226.221 | Vietnam | 1 | |
180.76.15.153 | China | 1 | |
186.91.240.119 | Venezuela | 1 | |
191.101.103.204 | Germany | 1 | |
180.76.15.18 | China | 1 | |
180.76.15.140 | China | 1 | |
139.162.108.53 | Japan | 1 | |
183.82.120.86 | India | 1 | |
61.160.212.14 | China | 1 | |
169.229.3.91 | United States | 1 | |
180.76.15.151 | China | 1 | |
85.14.250.137 | Germany | 1 | |
180.76.15.15 | China | 1 | |
190.129.35.244 | Bolivia | 1 | |
180.76.15.136 | China | 1 | |
163.172.174.60 | France | 1 | |
195.202.47.16 | Germany | 1 | |
180.76.15.25 | China | 1 | |
109.225.41.161 | Russian Federation | 1 | |
180.76.15.146 | China | 1 | |
119.23.241.46 | China | 1 | |
37.61.211.33 | Germany | 1 |
When we however take a look at the last 24 hours, we see a very different picture:
144.217.76.194 | Canada | Canada | 12 |
103.237.145.12 | Vietnam | Vietnam | 5 |
180.76.15.134 | China | China | 2 |
187.38.7.27 | Brazil | Brazil | 2 |
91.196.50.33 | Poland | Poland | 2 |
186.200.181.210 | Brazil | Brazil | 2 |
111.121.193.254 | China | China | 2 |
193.34.145.202 | Germany | Germany | 2 |
180.76.15.24 | China | China | 2 |
187.94.98.38 | Brazil | Brazil | 2 |
47.74.0.109 | Japan | Japan | 2 |
141.8.143.227 | United States | United States | 1 |
100.43.85.9 | United States | United States | 1 |
180.76.15.7 | China | China | 1 |
37.61.211.33 | Germany | Germany | 1 |
139.162.108.53 | Japan | Japan | 1 |
180.76.15.32 | China | China | 1 |
218.93.201.202 | China | China | 1 |
169.229.3.91 | United States | United States | 1 |
180.76.15.28 | China | China | 1 |
91.189.36.109 | Poland | Poland | 1 |
162.158.91.116 | Germany | Germany | 1 |
184.105.139.67 | United States | United States | 1 |
109.225.41.161 | Russian Federation | Russian Federation | 1 |
180.76.15.27 | China | China | 1 |
187.190.212.207 | Mexico | Mexico | 1 |
61.160.212.14 | China | China | 1 |
180.76.15.153 | China | China | 1 |
We are currently tracking more than 3000 new and unique IPs involving various attacks on this website and other sensors are picking up similar traffic for WordPress sites that include some big names:
- baidu.com / CN
- yandex.com /RU/USA
- biz.rr.com
- linode.com
- Greendata.pl
- onmicrosoft.com
We are coordinating additives with Microsoft and currently tracking multiple IPs and collected traffic for forensics. We would like to thank in this case Microsoft Security for reaching out to us so that we can help protect any effected Microsoft customers that are currently using Azure, Outlook, Office 365, etc. (Thanks Guys and Gals!)
What can you do?
We have a few things, this data highlights the reason why we talk about Risk Intelligence all the time and proactive security teams as well as methodologies. We work on data that are indicators of (potential) threats so that teams don’t have to scramble during an attack to find needles in haystacks. We save time, money and a huge amount of costs by using our own dogfood (CyberNSight, NeedleStack -TM HDN2017).
- If you have domains that send you email that are from onmicrosoft.com or other official looking domains please be careful. Phishing emails with new payloads that are not getting picked up by email security appliances or Firewalls / UTMS are going around. Delete those emails!
- If you see any DNS or Domains with similar names that yours, flag it, try to register those domains to stop tampering.
- If you see internal emails going out to “weird IPs or connections” please flag those and block those addresses at your UTM/Firewall.
- Integrate our Risk Intelligence into your systems for correlation.
- Capture header information of emails you don’t know, send them to us (if you have no security audit services) We will look through the headers, review our current tracking lists and let you know what to do.
We hope you enjoyed another post, we will do the next one on owning routers and permitter devices using a nice little tool that we found in our darknet searches.
Until the next time, you saw it here first at Hakdefnet!
Mike
(The info, intelligence and any data on this post or website are copyright and TM Hakdefnet 2017, no copying, pictures, etc without referencing us and giving us credit for the data and reports -Please)