Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

Size: px

Start display at page:

Download "Threat Intelligence UPDATE: Cymru EIS Report. www.team- cymru.com"

Franklin Cross
7 years ago
Views:

1 Threat Intelligence Group UPDATE UPDATE: SOHO Pharming A Team Cymru EIS Report Powered Page by T1eam Threat Intelligence Group of 5 C ymru s

2 This is an update on the SOHO Pharming case we published a little over a week ago. We share a little more detail on the 2 new IPs we tweeted about late last week plus 3 more, and we detail some changes in the cleanup operation as well as some easy mitigation measures. Finally we cover a little more about the Enterprise Intelligence Team that produced this insight. Key points: o Network shrunk from around 300,000 to about 50,000 o 5 new DNS Servers, comprising at least 100,000 infections: o Massive success cleaning up in certain countries New IPs: Team Cymru s Enterprise Intelligence Services identified additional networks of compromised SOHO routers, and is actively working with our partners in the information security community to disrupt these new campaigns. Through analysis and collaboration with other information security professionals, we uncovered new DNS pharming servers established at and as well as at , and For the last 3 of these IPs, we have seen more than 100, 000 unique IPs using them for DNS in the last 10 days, mostly from India (78%) and Vietnam (19%). At he time of writing, they are set to eventually forward to the domain 18tdn[.]com, which redirects to linkbucks[.]com, an affiliate advertising network. The former domain is linked to an individual of Vietnamese origin. It is also possible that is also connected with these attacks. Remember: the original IPs in our paper were and After we mentioned the original IPs in our paper, a considerable amount of the infected routers changed DNS IPs. Page 2 of 5

3 Changes in distribution: Our analysis also showed a significant drop in victim SOHO devices connecting to the previously reported pharming servers at and While we know that some ISPs are responding to the victims in their networks, it may also indicate that the actors behind the initial pharming attack are now working to re- exploit vulnerable devices and point them at these new pharming servers. Chart of number of infected SOHO Routers connecting to and from 3 rd 7 th March Page 3 of 5

4 Threat Intelligence Group Heatmap of location of routers connecting to and from 3rd 7th March You can see from the heatmap above that Thailand is significantly less prominent and does not appear in the chart above either. There is still comparatively little activity in the USA. Mitigation: In addition to the home and Enterprise user mitigation steps we talked about last week, we have added the infected devices to our free and commercial feeds and services: TC Console is a free web interface allowing network administrators to review the malicious activity on their network, as seen by our global insight and analysis engines. The CSIRT Assistance Program (or CAP ) provides the same information to National and regional CSIRT Teams around the world. We currently partner with 57 such teams. Page 4 of 5

5 Our Commercial Threat Intelligence Feeds cover the global listings of Command and Control Servers, infected devices and all manner of malware intelligence, botnets and DDoS attacks. For more information, please visit: o TC Console cymru.org/services/tcconsole/ o CSIRT Assistance Program cymru.org/services/cap/ o Threat Intelligence Feeds or fill out the form on the SOHO Pharming Whitepaper landing page: or outreach@cymru.com for more details. How Did We Do It? This report was driven through the strength of our capabilities. Our team of analysts became aware of the SOHO routers that were impacted and began their thorough investigation. This high level of investigative prowess, built on our experience, knowledge, and capabilities, is what powers our Threat Intelligence Feeds as well as our premier offering: the Team Cymru Enterprise Intelligence Service (EIS). Our EIS offering is designed to augment and enhance other existing Cyber Intelligence Services that an organization may already be using by bringing our full resources to bear on your urgent and difficult problems. Want to know more? Fill out the form on the SOHO Pharming Whitepaper landing page or outreach@cymru.com for more details. Investing five minutes with us could be the difference for your organization. Page 5 of 5

Man, Machine and DDoS Mitigation

Man, Machine and DDoS Mitigation The case for human cyber security expertise Automated DDoS mitigation poses risks Distributed denial of service (DDoS) attacks can overwhelm DDoS appliances Today s DDoS