Security Posts

Infocon: green

Apple Patches Everything
Categories: Security Posts

BotenaGo Botnet Code Leaked to GitHub

Threatpost - 1 hour 5 min ago
The malware had already put millions of routers and IoT devices at risk, and now any noob can have at it.
Categories: Security Posts

Beers with Talos, Ep. #115: Everybody's measured by quarters — even threat actors

Cisco Talos - 2 hours 12 min ago
Beers with Talos (BWT) Podcast episode No. 115 is now available. Download this episode and subscribe to Beers with Talos: Apple Podcasts  Google Podcasts  Spotify  StitcherRecorded Jan. 14, 2022. If iTunes and Google Play aren't your thing, click here. We wanted...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Categories: Security Posts

Apple Patches Everything, (Thu, Jan 27th)

Trying something a bit new here. Please let me know if this works for you. Yesterday, Apple released security updates across its spectrum of operating systems. Apple tends to release these updates all at the same time. Targeting more enthusiasts and home users with its products, Apple is missing a lot of the details that commercial/enterprise users are looking for. The table below is an attempt to help you out a bit in identifying which vulnerabilities affect which operating system, and how severe they are. There is no option to pick and choose which vulnerabilities to fix.  Noteworthy Vulnerabilities: CVE-2022-22587: The vulnerability has already been exploited in the wild.
CVE-2022-22594: IndexDB same original policy violation. This vulnerability has been public for at least a week. To indicate severity, I labeled vulnerabilities as: Critical (red): Remote code execution (includes vulnerabilities that require a file download) Important (yellow): Privilege Escalation Other (blue): Security Feature Bypass   Safari Catalina BigSur Monterey tvOS iOS iPadOS watchOS CVE-2022-22590 [critical] WebKit
A use after free issue was addressed with improved memory management.
Processing maliciously crafted web content may lead to arbitrary code execution x     x x x x x CVE-2022-22592 [other] WebKit
A logic issue was addressed with improved state management.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced x     x x x x x CVE-2022-22589 [critical] WebKit
A validation issue was addressed with improved input sanitization.
Processing a maliciously crafted mail message may lead to running arbitrary javascript x     x x x x x CVE-2022-22594 [critical] WebKit Storage
A cross-origin issue in the IndexDB API was addressed with improved input validation.
A website may be able to track sensitive user information CVE-2022-22593 [important] Kernel
A buffer overflow issue was addressed with improved memory handling.
A malicious application may be able to execute arbitrary code with kernel privileges   x x x x x x x CVE-2022-22579 [critical] Model I/O
An information disclosure issue was addressed with improved state management.
Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution   x x x x x x   CVE-2022-22583 [important] PackageKit
A permissions issue was addressed with improved validation.
An application may be able to access restricted files   x x x         CVE-2021-30946 [other] Sandbox
A logic issue was addressed with improved restrictions.
A malicious application may be able to bypass certain Privacy preferences   x             CVE-2021-30960 [important] Audio
A buffer overflow issue was addressed with improved memory handling.
Parsing a maliciously crafted audio file may lead to the disclosure of user information     x           CVE-2022-22585 [other] iCloud
An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.
An application may be able to access a user's files     x x x x x x CVE-2022-22587 [important] IOMobileFrameBuffer
A memory corruption issue was addressed with improved input validation.
A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.     x x   x x   CVE-2022-22586 [important] AMD Kernel
An out-of-bounds write issue was addressed with improved bounds checking.
A malicious application may be able to execute arbitrary code with kernel privileges       x         CVE-2022-22584 [critical] ColorSync
A memory corruption issue was addressed with improved validation.
Processing a maliciously crafted file may lead to arbitrary code execution       x x x x x CVE-2022-22578 [important] Crash Reporter
A logic issue was addressed with improved validation.
A malicious application may be able to gain root privileges       x x x x x CVE-2022-22591 [important] Intel Graphics Driver
A memory corruption issue was addressed with improved memory handling.
A malicious application may be able to execute arbitrary code with kernel privileges       x         ---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Shipment-Delivery Scams a Fav Way to Spread Malware

Threatpost - 3 hours 24 min ago
Attackers increasingly are spoofing the courier DHL and using socially engineered messages related to packages to trick users into downloading Trickbot and other malicious payloads.
Categories: Security Posts

Apple patches Safari data leak (oh, and a zero-day) – patch now!

Naked Security Sophos - 4 hours 14 min ago
That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.
Categories: Security Posts

How to Secure Your SaaS Stack with a SaaS Security Posture Management Solution

Threatpost - 5 hours 13 min ago
SaaS Security Posture Management (SSPM) named a must have solution by Gartner. Adaptive Shields SSPM solution allows security teams full visibility and control.
Categories: Security Posts

EyeMed agrees $600,000 settlement over 2020 data breach

Zero Day | ZDNet RSS Feed - 6 hours 6 min ago
The data of roughly 2.1 million individuals was exposed.
Categories: Security Posts

DevSecOps plan process

AlienVault Blogs - 7 hours 24 min ago
In the DevOps and DevSecOps Introduction, What is DevOps, we reviewed how our security teams overlay onto DevOps for visibility and increased security throughout the software lifecycle. This article explores DevSecOps during the planning phase of the project and why it’s important for developers to be trained on how to help protect the software they are writing from Free Open-Source Software “FOSS” risks and supply chain attacks. Development’s role in DevSecOps Development teams that have an Agile culture will be familiar with DevOps frameworks and the ability to deal with rapid change effectively. As developers work through user stories, they may search for available FOSS that is useful and speeds up the user story delivery. DevSecOps collaboration with developers during this process helps protect user stories from the risks associated with using FOSS and supply chain attacks. Free Open-Source Software “FOSS” risks Arguably the most popular FOSS is the Linux operating system released in 1991 by Linus Torvalds. It is free to use, and the source code is publicly available. The copyleft license type that covers Linux requires a developer who modifies certain parts of the Linux operating system to share the source code they created. The two main categories of FOSS licenses are copyleft and permissive. Copyleft license means that the software author has a claim on the copyright of their work, and anyone that uses, modifies, or shares the work must make their code publicly available. A developer in a private company that adds to or modifies copyleft licensed software could be forced to expose proprietary code or trade secrets. An example of a copyleft license is GNU v2 created by Richard Stallman. Permissive license allows much more freedom to the developer when adding to or modifying the software and generally requires nothing in return. Some permissive licenses attach more requirements than others. But in general, they are less risky for a business to use with proprietary software. An example of a permissive license is the MIT License, created at the Massachusetts Institute for Technology. The US Courts have set a precedent in favor of the FOSS author when there is a dispute. Which is why the organizations security and compliance teams should create a policy providing an authorized list of FOSS licenses for use within the organization. Developers should consult with Security and Compliance teams for any additional questions or request for FOSS exceptions. The collaboration of the team will protect the company from potentially having to share proprietary software, paying fines, or defending itself in litigation. More important, protecting proprietary software from a FOSS license violation can also limit the risk of a supply chain attack. Supply chain attacks In 2020, the network monitoring company SolarWinds unknowingly distributed malicious software to their customers. It was a huge event that went unnoticed for months and exposed many well-known technology companies to hackers. Evidence of the incident showed that malicious software was injected into the SolarWinds Orion software during the build process. When the new version of software was released to customers, hackers were unknowingly granted access to systems. Supply chain attacks occur when developers include (accidently or intentionally) FOSS that is malicious or contains vulnerabilities with their own software during the build process. With it imbedded in the developer’s software release, the malicious software acts like a trojan horse. Once it’s been installed by a user, the malicious software activates and either waits for commands from the controller or starts performing pre-defined actions like a ransomware attack, obtaining login and password credentials, or scanning the network for other places it can jump to. Below are some of the common ways supply chain attacks happen along with how DevSecOps can work with developer teams to prevent these during the planning process.
  • Compromised software updates – Software developers release patches and updates to their software on a regular cadence. DevSecOps helps protect users by making sure developers only use software updates that come from a valid and protected source.
  • Inherent defects in FOSS – FOSS is not immune to bugs, security flaws, and malicious actors. DevSecOps advises software developers to pull FOSS from reputable public repositories. Developers should also search the version history for security issues or concerns before implementing FOSS into their software builds.
  • FOSS download limitations – FOSS from public repositories and registries have a limited number of daily downloads for free. Large development organizations can quickly exceed these daily downloads which can result in failed software builds or delay a planned production deployment. DevSecOps can provide private repositories and registries for developers to store FOSS that is under the control of the business and has unlimited downloads.
  • Manual steps in a build and release process – Developers should plan their projects around the use of automated build and release pipelines. Pipelines allow DevSecOps to use security scanning tools to identify malicious software.
Licensing and supply chain attacks can expose business systems to serious risks and be very difficult to eliminate when embedded in a software release. Planning with DevSecOps helps software developers navigate the risks associated with FOSS and supply chain attacks. Next steps When planning is complete and developers begin coding their software, they need a secure place to store and protect their work.  The next article will cover how we secure repositories to protect the company’s proprietary code.
Categories: Security Posts

DeepDotWeb operator sentenced to eight years behind bars

Zero Day | ZDNet RSS Feed - 7 hours 31 min ago
The platform provided links to Dark Web marketplaces.
Categories: Security Posts

Konni remote access Trojan receives 'significant' upgrades

Zero Day | ZDNet RSS Feed - 8 hours 7 min ago
Researchers say the security community should keep a close eye on this malware strain.
Categories: Security Posts

De profesión "Programador de Frontales React en Aplicaciones Web". El mundo quiere cada vez menos "Yo sé de todo un poco". #HackYourCareer

Un informático en el lado del mal - 10 hours 16 min ago
El mundo de la tecnología se ha profesionalizado mucho. Esa profesionalización, con la aparición de un volumen de tecnologías enorme, conlleva una especialización. Un entendimiento cada vez más amplio de tecnologías y ecosistemas paralelos, y un entendimiento cada vez más profundo de una disciplina concreta. Como ejemplo, cuando creamos Singularity Hackers, documentamos 50 roles y profesiones distintos, con diferentes niveles de espcialización diferentes, que van desde CSO, a QA Seguridad, pasando por pentester, ciberinvestigador en CERT, auditor en BlueTeam, ethical hacker en Red Team, forense y analista de malware en el CSIRT, etcétera. Especializarse para encontrar el punto concreto donde tus habilidades son más valoradas, y donde puedes ser mucho mejor profesional porque te va a gustar.

Figura 1: De profesión "Programador de Frontales React en Aplicaciones Web".El mundo quiere cada vez menos "Yo sé de todo un poco".
Esto sucede en todas las ramas tecnológicas hoy en día, y cuando tengo alguna charla con alguien para orientarle en su carrera profesional - algo que me piden cada vez más, algo que siempre le digo es que haga algo que le guste. Que si hace algo que no le gusta, nunca va a dedicarle todo el tiempo que será necesario para dejar de ser "uno más del montón" en ese trabajo. Y es especialmente sensible con la programación y los profesionales DEVELOPERS. Ser un buen programador exige conocer profundamente un área de disciplina hoy en día, ya que en solo un área de disciplina, hay mucho que saber. 
Una anécdota personal sobre este ejemplo que os voy a contar. En el año 1996, cuando yo tenía 21 años, había comenzado a trabar ya, y me asignaron ser profesor de un curso de Programación de Aplicaciones Web, y el universo completo para hacer aquello consistía en saber:
  • Para el frontend:
    • HTML 3.2 (con especificaciones no completos de HTML 4 que cada uno hacía como le daba la gana)
    • Javacript recién sacado del horno que iba en unos navegadores sí en otros regular.
    • Herramientas para formatos gráficos: GIF, GIF89a, JPG, Mapas de imágenes.
  • Para el backend
    • Perl
    • PHP (Perl Host Script)
    • ASP
  • Bases de datos
    • SQL
Y más o menos con todo esto, con saber algo de redes y servicios de Internet, te contratabas un ISP, un Hosting, y te hacías tu .COM para triunfar en el boom del año 2.000, donde muchos de los que se subieron a esa ola triunfaron, otros no tanto.
Hoy en día, para ser un buen Front-End Developer, o un buen Back-End Developer, debes conocer otras - y muchas - disciplinas. Los patrones de diseño han cambiado. Antes hablábamos de Programación de páginas web reactivas, en la que se sucedía la lógica de negocio cuando había una petición desde el Front-End por parte del usuario, para luego pasar a Programación Reactiva, entendido que las aplicaciones debían comunicarse, podrían ser distribuidas, y debían tener sistemas de paso de mensajes entre ellas. La Programación Orientada a Componentes aceleró la construcción de este tipo de aplicaciones, y con el paso del tiempo, las Aplicaciones Reactivas con lógica de negocio en Front-End basada en eventos y mensajes fue haciéndose más popular, junto con las necesidades de apps en Tiempo-Real que reaccionaran tanto en situaciones de cliente como en datos de servicios en forma de Datos en Stream. Y el mundo sigue cambiando. 
Figura 2: Requisitos deseables en una vacante de FrontEnd Developer de Telefónica
Es decir, que de aquella arquitectura de tecnologías que alguien podía conocer en suficiente profundidad como para montarse una .COM, hemos pasado a un nivel de especialización enorme, en todas las áreas tecnológicas. En el caso de las aplicaciones con Front-End Reactivo este cambio ha sido mucho más importante. El cuidado con que debe construir sus interfaces tiene una importancia brutal en el negocio. 
De sus decisiones arquitectónicas, del cuidado de su código, y de la optimización de sus componentes depende el negocio. El SEO, el SEM, la hiper-personalización, el buen funcionamiento Responsive en los diferentes end-points, etcétera, es vital para que un sistema funcione o no. Los Front-End Developers son joyas de la corona, junto con el equipo e User eXperience y User Interaction para que la aplicación web funcione o no funcione en su interacción con el cliente. Sin dejar de lado la importancia del BackEnd, claro está. Pero un gran Backend no luce sin un buen FrontEnd y un Backend bueno, puede parecer espectacular con un gran FrontEnd.
Figura 3: BootCamp Online de FrontEnd Developer React
Son profesionales muy demandados, que deben conocer muchas tecnologías que han surgido en los últimos años desde la irrupción de React en 2013, la biblioteca Redux, la aparición de frameworks como Angular, los nuevos entornos de trabajo con GitHub, las apps en Node, o las necesidades del despliegue continuo de Apps donde es necesario entender el mundo DevOPs, DevSecOps, las herramientas de mocking para testing Apps y conocer los ataques client-side y APIs, etcétera. Es decir, muy lejos de todo lo que era necesario antes.
Si tienes en mente emprender en el mundo tecnológico, y vas a tener una WebApp Responsive, que va a ser clave en tu negocio, vas a necesitar a estos especialistas, y si quieres aprender de estas tecnologías, puedes hacerte un BootCamp Online en FrontEnd React Developer que te pongas al día con todas ellas. Verás que son hoy en día son muy demandadas. En Telefónica, siempre tenemos ofertas de profesionales especializados en Frontend, y en la zona de Talento Tech de GeeksHubs Academy, verás que también las tienes.
Figura 4: Ofertas de trabajo de GeekJobs en GeeksHubs Academy
Así que si quieres que tu futuro pase por la creación de tecnología para hacer servicios y/o webapps, ponte las pilas en las nuevas tecnologías, y haz una especialización profunda, que el mundo de la tecnología cada vez demanda menos perfiles de "yo sé un poco de todo".
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categories: Security Posts

ISC Stormcast For Thursday, January 27th, 2022 https://isc.sans.edu/podcastdetail.html?id=7854, (Thu, Jan 27th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Exposing FBI's Most Wanted Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,In this post I've decided to share actionable intelligence on the online infrastructure of FBI's Most Wanted Iran's Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.mlibo[.]mlblibo[.]gaazll[.]cfazlll[.]cflzll[.]cfjlll[.]cfelll[.]cflllib[.]cftsll[.]cfulll[.]tktlll[.]cflibt[.]galibk[.]galibf[.]galibe[.]galiba[.]gqlibver[.]mlntll[.]tkills[.]cfvtll[.]cfclll[.]tkstll[.]tkllii[.]xyzlill[.]proeduv[.]icuuniv[.]redunir[.]cfunir[.]gqunisv[.]xyzunir[.]mlunin[.]icuunie[.]mlunip[.]gqunie[.]gaunip[.]cfnimc[.]ganimc[.]mlsavantaz[.]cfunie[.]gqunip[.]gaunip[.]mlunir[.]gauntc[.]mejhbn[.]meunts[.]meuncr[.]melib-service[.]comunvc[.]meuntf[.]menimc[.]cfanvc[.]meebookfafa[.]comnicn[.]gquntc[.]irlibrarylog[.]inllli[.]nllllf[.]nllibg[.]tkttil[.]nlllil[.]nllliv[.]nlllit[.]siteflil[.]cfe-library[.]mecill[.]mlfill[.]cflibm[.]gaeill[.]cfllib[.]cfeill[.]ganuec[.]cfilll[.]cfcnen[.]cfaill[.]nleill[.]nlmlib[.]cfulll[.]cfnlll[.]cfclll[.]nlllii[.]cfetll[.]cf1edu[.]inaill[.]cfatna[.]cfatti[.]cfaztt[.]tkcave[.]gqccli[.]cfcnma[.]cfcntt[.]cfcrll[.]tkcsll[.]cfctll[.]tkcvnc[.]gacvve[.]cfczll[.]tkcztt[.]tkeuca[.]cfeuce[.]inezll[.]tkezplog[.]inezproxy[.]tkeztt[.]tkflll[.]cfiell[.]tkiull[.]tkizll[.]tklett[.]cflib1[.]bidlib1[.]pwlibb[.]galibe[.]mllibg[.]cflibg[.]galibg[.]gqlibloan[.]xyzlibnicinfo[.]xyzlibraryme[.]irlibt[.]mllibu[.]gqlill[.]gqllbt[.]tkllib[.]gallic[.]cfllic[.]tkllil[.]cfllit[.]cflliv[.]tkllse[.]cfncll[.]tkncnc[.]cfnctt[.]tknecr[.]ganika[.]gansae[.]mlnuec[.]mlrill[.]cfrnva[.]cfrtll[.]tksctt[.]cfshibboleth[.]linksitl[.]tkslli[.]cftill[.]cftitt[.]cfuill[.]cfuitt[.]tkulibe[.]mlulibr[.]gaumlib[.]mlumll[.]tkuni-lb[.]comunll[.]tkutll[.]tkvsre[.]cfweb2lib[.]infoxill[.]tkzedviros[.]irzill[.]cfSample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:ezvpn[.]mskcc[.]saea[.]galibrary[.]asu[.]saea[.]galibrary[.]lehigh[.]saea[.]gamoodle[.]ucl[.]ac[.]saea[.]gasaea[.]gaunex[.]learn[.]saea[.]gaunomaha[.]on[.]saea[.]gawww[.]uvic[.]saea[.]gacatalog[.]lib[.]usm[.]edu[.]seae[.]tkelearning[.]uky[.]edu[.]seae[.]tkwww[.]aladin[.]wrlc[.]org[.]seae[.]tkalexandria[.]rice[.]ulibr[.]gacmich[.]ulibr[.]gacolumbia[.]ulibr[.]gaedu[.]edu[.]libt[.]cfezproxy-authcate[.]lib[.]monash[.]ulibr[.]galogin[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cfezproxy-authcate[.]monash[.]lib[.]ulibr[.]gaezproxy-f[.]deakin[.]au[.]ulibr[.]galib[.]dundee[.]ac[.]uk[.]ulibr[.]gacas[.]usherbrooke[.]ca[.]cavc[.]tkcatalog[.]lib[.]ksu[.]edu[.]cavc[.]tkisa[.]epfl[.]ch[.]cavc[.]tklogin[.]vcu[.]edu[.]cavc[.]tkwww[.]med[.]unc[.]edu[.]cavc[.]tkcas[.]iu[.]edu[.]cavc[.]tkltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]inpassport[.]pitt[.]edu[.]reactivation[.]inedu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cfshibboleth[.]nyu[.]edu[.]reactivation[.]inlogin[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cfweblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]inwebmail[.]reactivation[.]inwww[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]inwww[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]inwww[.]lib[.]just[.]edu[.]jo[.]reactivation[.]inwww[.]passport[.]pitt[.]edu[.]reactivation[.]inhttp://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSOwww[.]shibboleth[.]nyu[.]edu[.]reactivation[.]inwww[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]inezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]inlogin[.]revproxy[.]brown[.]edu[.]libt[.]cfweblogin[.]umich[.]edu[.]lib2[.]mlcatalog[.]sju[.]edu[.]mncr[.]tkezpa[.]library[.]ualberta[.]ca[.]reactivation[.]inlib[.]just[.]edu[.]jo[.]reactivation[.]inlogin[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]inlogin[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cfshib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cfshibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cfsinglesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cfwebauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cfedu[.]libt[.]cflogin[.]libproxy[.]temple[.]ulibr[.]cfshib[.]ncsu[.]ulibr[.]cfsinglesignon[.]gwu[.]ulibr[.]cfwebauth[.]ox[.]ac[.]uk[.]ulibr[.]cflibrary[.]cornell[.]ulibr[.]galogin[.]ezproxy[.]gsu[.]ulibr[.]gashibboleth2[.]uchicago[.]ulibr[.]cflogin[.]library[.]nyu[.]ulibr[.]gamail[.]ulibr[.]gawebcat[.]lib[.]unc[.]ulibr[.]gawww[.]ulibr[.]gawww[.]alexandria[.]rice[.]ulibr[.]gawww[.]cmich[.]ulibr[.]gawww[.]columbia[.]ulibr[.]gawww[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]gawww[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]gawww[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]gawww[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]gawww[.]library[.]cornell[.]ulibr[.]gawww[.]login[.]ezproxy[.]gsu[.]ulibr[.]gawww[.]login[.]library[.]nyu[.]ulibr[.]gaauth[.]berkeley[.]edu[.]libna[.]mlsso[.]lib[.]uts[.]edu[.]au[.]libna[.]mlbb[.]uvm[.]edu[.]cvre[.]tkcline[.]lib[.]nau[.]edu[.]cvre[.]tkilliad[.]lib[.]binghamton[.]edu[.]cvre[.]tklibcat[.]smu[.]edu[.]cvre[.]tklogin[.]brandeis[.]edu[.]cvre[.]tkmsim[.]cvre[.]tklibcat[.]library[.]qut[.]nsae[.]mlwww[.]webcat[.]lib[.]unc[.]ulibr[.]gaStay tuned!
Categories: Security Posts

Exposing Behrooz Kamalian's Ashiyane ICT Company - An OSINT Analysis

Dear blog readers,I've decided to share with everyone some practical and actionable threat intelligence information regarding members of the Ashiyane Digital Security Team also known as Behrooz Kamalian's Ashiyane ICT Company for the purpose of assisting everyone in their cyber attack and cyber attack attribution campaigns.Name: Behrooz KamalianPostal address:Tajrish Sq, Fana Khosro St,Amir Salam Alley,No 22, Ashiyane ICT CompanyPhone number: 22727284-5Fax number: 22727283email: nima.salehi@yahoo.comTechnical Handle: nic36928h37Name: Behrooz Kamalianemail: nima.salehi@yahoo.comDomain Name: ashiyane.irLegal Holder: Behrooz KamalianPostal address:Unit 28, Floor Seven, 36 Building , Daneshvar alley, Jamalzadeh St. , Enghelab Sq.Tehran, IR1336925748Phone number: +98.2166935551Fax number: +98.2166930577Admin Contact: nic36928h37Technical Contact: nic36928h37Domain Name Server1: ns1.ashiyane.orgDomain Name Server2: ns2.ashiyane.orgRequest Date: 29 December 2005Last Verification: 21 September 2006Reseller: Govah Tadbir RayanehPostal address:Unir 1 , 1th Floor , No.376 , North Bahar St .Phone number: +98 21 88849956-7Fax number: +98 21 88307682email: info@tadbir.ir
Categories: Security Posts

Profiling the Emotet Botnet C&C Infrastructure - An OSINT Analysis

Dear blog readers,I've decided to share a recently obtained Emotet botnet C&C server IPs for the purpose of empowering everyone with the necessary technical information on their way to track down and monitor the botnet including to possibly assist and help where necessary in terms of cyber attack campaign attribution including cyber threat actor attribution campaigns.Sample currently active Emotet botnet C&C server IPs:hxxp://109[.]123[.]78[.]10hxxp://66[.]54[.]51[.]172hxxp://108[.]161[.]128[.]103hxxp://195[.]210[.]29[.]237hxxp://5[.]35[.]249[.]46hxxp://5[.]159[.]57[.]195hxxp://206[.]210[.]70[.]175hxxp://88[.]80[.]187[.]139hxxp://188[.]93[.]174[.]136hxxp://130[.]133[.]3[.]7hxxp://162[.]144[.]79[.]192hxxp://79[.]110[.]90[.]207hxxp://72[.]18[.]204[.]17hxxp://212[.]129[.]13[.]110hxxp://66[.]228[.]61[.]248hxxp://193[.]171[.]152[.]53hxxp://129[.]187[.]254[.]237hxxp://178[.]248[.]200[.]118hxxp://133[.]242[.]19[.]182hxxp://195[.]154[.]243[.]237hxxp://80[.]237[.]133[.]77hxxp://158[.]255[.]238[.]163hxxp://91[.]198[.]174[.]192hxxp://46[.]105[.]236[.]18hxxp://205[.]186[.]139[.]105hxxp://72[.]10[.]49[.]117hxxp://133[.]242[.]54[.]221hxxp://198[.]1[.]66[.]98hxxp://148[.]251[.]11[.]107hxxp://213[.]208[.]154[.]110hxxp://192[.]163[.]245[.]236hxxp://88[.]80[.]189[.]50hxxp://185[.]46[.]55[.]88hxxp://173[.]255[.]248[.]34hxxp://104[.]219[.]55[.]50hxxp://200[.]159[.]128[.]19hxxp://198[.]23[.]78[.]98hxxp://70[.]32[.]92[.]133hxxp://192[.]163[.]253[.]154hxxp://192[.]138[.]21[.]214hxxp://106[.]187[.]103[.]213hxxp://162[.]144[.]80[.]214hxxp://128[.]199[.]214[.]100hxxp://69[.]167[.]152[.]111hxxp://46[.]214[.]107[.]142hxxp://195[.]154[.]176[.]172hxxp://106[.]186[.]17[.]24hxxp://74[.]207[.]247[.]144hxxp://209[.]250[.]6[.]60hxxp://142[.]34[.]138[.]90hxxp://74[.]217[.]254[.]29hxxp://212[.]48[.]85[.]224hxxp://167[.]216[.]129[.]13hxxp://91[.]194[.]151[.]38hxxp://162[.]42[.]207[.]58hxxp://104[.]28[.]17[.]67hxxp://8[.]247[.]6[.]134hxxp://5[.]9[.]189[.]24hxxp://78[.]129[.]213[.]41hxxp://184[.]86[.]225[.]91hxxp://107[.]189[.]160[.]196hxxp://88[.]208[.]193[.]123hxxp://50[.]56[.]135[.]44hxxp://184[.]106[.]3[.]194hxxp://185[.]31[.]17[.]144hxxp://67[.]19[.]105[.]107hxxp://218[.]185[.]224[.]231Related Emotet C&C server IPs known to have been involved in the campaign:103[.]201[.]150[.]209104[.]131[.]11[.]150104[.]131[.]208[.]175104[.]236[.]151[.]95104[.]236[.]246[.]93104[.]236[.]99[.]225105[.]224[.]171[.]102109[.]104[.]79[.]48109[.]73[.]52[.]242111[.]67[.]12[.]221112[.]72[.]9[.]242115[.]124[.]109[.]85115[.]71[.]233[.]127117[.]218[.]133[.]244125[.]99[.]106[.]226125[.]99[.]61[.]162128[.]199[.]78[.]227134[.]196[.]209[.]126136[.]243[.]177[.]26138[.]201[.]140[.]110138[.]219[.]214[.]164138[.]68[.]106[.]4142[.]4[.]198[.]249142[.]93[.]88[.]16144[.]139[.]247[.]220147[.]135[.]210[.]39149[.]62[.]173[.]247159[.]203[.]204[.]126159[.]65[.]241[.]220159[.]65[.]25[.]128162[.]144[.]119[.]216162[.]217[.]250[.]243162[.]243[.]125[.]212167[.]114[.]210[.]191169[.]239[.]182[.]217170[.]247[.]122[.]37173[.]212[.]203[.]26174[.]136[.]14[.]100175[.]100[.]138[.]82176[.]250[.]213[.]131176[.]31[.]200[.]136177[.]242[.]214[.]30177[.]246[.]193[.]139178[.]62[.]37[.]188178[.]79[.]161[.]166178[.]79[.]163[.]131179[.]14[.]2[.]75179[.]32[.]19[.]219179[.]40[.]105[.]76181[.]134[.]105[.]191181[.]15[.]180[.]140181[.]15[.]243[.]22181[.]16[.]127[.]226181[.]171[.]118[.]19181[.]189[.]213[.]231181[.]198[.]67[.]178181[.]231[.]72[.]200181[.]28[.]144[.]64181[.]28[.]248[.]205181[.]39[.]134[.]122181[.]48[.]174[.]242183[.]82[.]97[.]25185[.]129[.]93[.]140185[.]86[.]148[.]222185[.]94[.]252[.]27186[.]138[.]56[.]183186[.]144[.]64[.]31186[.]22[.]209[.]16186[.]23[.]146[.]42186[.]23[.]18[.]211186[.]4[.]167[.]166186[.]4[.]234[.]27186[.]83[.]133[.]253186[.]86[.]177[.]193187[.]149[.]41[.]205187[.]163[.]180[.]243187[.]163[.]222[.]244187[.]178[.]9[.]19187[.]188[.]166[.]192187[.]189[.]195[.]208187[.]242[.]204[.]142188[.]166[.]253[.]46189[.]180[.]84[.]115189[.]196[.]140[.]187189[.]209[.]217[.]49190[.]1[.]37[.]125190[.]102[.]226[.]91190[.]112[.]228[.]47190[.]113[.]233[.]4190[.]117[.]206[.]153190[.]145[.]67[.]134190[.]147[.]12[.]71190[.]186[.]203[.]55190[.]186[.]221[.]50190[.]189[.]112[.]116190[.]189[.]204[.]100190[.]19[.]42[.]131190[.]193[.]131[.]141190[.]230[.]60[.]129190[.]246[.]166[.]217190[.]25[.]255[.]98190[.]36[.]88[.]98190[.]55[.]39[.]215190[.]72[.]136[.]214190[.]97[.]10[.]198191[.]97[.]116[.]232195[.]242[.]117[.]231196[.]6[.]112[.]70197[.]211[.]244[.]6198[.]58[.]114[.]91200[.]107[.]105[.]16200[.]123[.]101[.]90200[.]24[.]248[.]206200[.]28[.]131[.]215200[.]32[.]61[.]210200[.]43[.]231[.]10200[.]57[.]102[.]71200[.]58[.]171[.]51200[.]58[.]83[.]179200[.]80[.]198[.]34200[.]85[.]46[.]122201[.]199[.]89[.]223201[.]212[.]24[.]6201[.]219[.]183[.]243201[.]220[.]152[.]101201[.]231[.]44[.]78201[.]238[.]152[.]20201[.]251[.]229[.]37201[.]252[.]229[.]169202[.]83[.]16[.]150203[.]25[.]159[.]3205[.]186[.]154[.]130206[.]189[.]98[.]125211[.]63[.]71[.]72212[.]71[.]234[.]16213[.]120[.]104[.]180216[.]98[.]148[.]136216[.]98[.]148[.]156217[.]113[.]27[.]158217[.]13[.]106[.]160217[.]92[.]171[.]167219[.]74[.]237[.]49222[.]214[.]218[.]136222[.]214[.]218[.]192225[.]153[.]252[.]22877[.]122[.]183[.]203109[.]123[.]78[.]1066[.]54[.]51[.]172108[.]161[.]128[.]103195[.]210[.]29[.]2375[.]35[.]249[.]465[.]159[.]57[.]195206[.]210[.]70[.]17588[.]80[.]187[.]139188[.]93[.]174[.]136130[.]133[.]3[.]7162[.]144[.]79[.]19279[.]110[.]90[.]20772[.]18[.]204[.]17212[.]129[.]13[.]11066[.]228[.]61[.]248193[.]171[.]152[.]53129[.]187[.]254[.]237178[.]248[.]200[.]118133[.]242[.]19[.]182195[.]154[.]243[.]23780[.]237[.]133[.]77158[.]255[.]238[.]16391[.]198[.]174[.]19246[.]105[.]236[.]18205[.]186[.]139[.]10572[.]10[.]49[.]117133[.]242[.]54[.]221198[.]1[.]66[.]98148[.]251[.]11[.]107213[.]208[.]154[.]110192[.]163[.]245[.]23688[.]80[.]189[.]50185[.]46[.]55[.]88173[.]255[.]248[.]34104[.]219[.]55[.]50200[.]159[.]128[.]19198[.]23[.]78[.]9870[.]32[.]92[.]133192[.]163[.]253[.]154192[.]138[.]21[.]214106[.]187[.]103[.]213162[.]144[.]80[.]214128[.]199[.]214[.]10069[.]167[.]152[.]11146[.]214[.]107[.]142195[.]154[.]176[.]172106[.]186[.]17[.]2474[.]207[.]247[.]144209[.]250[.]6[.]60142[.]34[.]138[.]9074[.]217[.]254[.]29212[.]48[.]85[.]224167[.]216[.]129[.]1391[.]194[.]151[.]38162[.]42[.]207[.]58104[.]28[.]17[.]678[.]247[.]6[.]1345[.]9[.]189[.]2478[.]129[.]213[.]41184[.]86[.]225[.]91107[.]189[.]160[.]19688[.]208[.]193[.]12350[.]56[.]135[.]44184[.]106[.]3[.]194185[.]31[.]17[.]14467[.]19[.]105[.]107218[.]185[.]224[.]231Stay tuned!
Categories: Security Posts

Exposing a Currently Active "Jabber ZeuS" also known as "Aqua ZeuS" Gang Personal Email Portfolio - An OSINT Analysis


Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021.
Dear blog readers,I've decided to share a recently obtained portfolio of personal emails belonging to the "Jabber ZeuS" also known as "Aqua ZeuS" gang members with the idea to assist everyone on their way to track down and monitor the botnet masters behind the botnet including to assist in possible cyber attack campaign attribution including possible cyber threat actor attribution campaigns.Sample personal emails known to have been currently in use by the "Jabber ZeuS" also known as "Aqua ZeuS" gang:donsft@hotmail[.]comjohnny@guru[.]bearin[.]donetsk[.]uat4ank@ua[.]fmairlord1988@gmail[.]comalexeysafin@yahoo[.]comaqua@incomeet[.]combashorg@talking[.]ccbenny@jabber[.]czbind@email[.]rubx1@hotmail[.]combx1_@msn[.]comcruelintention@email[.]rud[.]frank@0nl1ne[.]atd[.]frank@jabber[.]jpdanibx1@hotmail[.]frdanieldelcore@hotmail[.]comdemon@jabber[.]ruduo@jabber[.]cnfering99@yahoo[.]comfirstmen17@rambler[.]rugetready@safebox[.]runotifier@gajim[.]orggribodemon@pochta[.]ruh4x0rdz@hotmail[.]comhof@headcounter[.]orgi_amhere@hotmail[.]frjheto2002@gmail[.]comjohn[.]mikle@ymail[.]comjohnlecun@gmail[.]comkainehabe@hotmail[.]comlostbuffer@gmail[.]comlostbuffer@hotmail[.]commary[.]j555@hotmail[.]commiami@jabbluisa[.]commoscow[.]berlin@yahoo[.]commricq@incomeet[.]comniko@grad[.]competr0vich@incomeet[.]comprincedelune@hotmail[.]frsector[.]exploits@gmail[.]comsecustar@mail[.]rusere[.]bro@hotmail[.]comshwark[.]power[.]andrew@gmail[.]comspanishp@hotmail[.]comsusanneon@googlemail[.]comtank@incomeet[.]comtheklutch@gmail[.]comum@jabbim[.]comvirus_e_2003@hotmail[.]comvlad[.]dimitrov@hotmail[.]comStay tuned!
Categories: Security Posts

Profiling the Liberty Front Press Network Online - An OSINT Analysis

Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021.We’ve decided to take a closer look at the Internet-connected infrastructure of the Liberty Front Press Network part of a recent takedown and domain seizure part of an ongoing law enforcement operation fighting online propaganda online and to offer practical and relevant including actionable intelligence on the Internet-connected infrastructure behind the Liberty Front Press Network including the individuals behind it.In this analysis we’ll take a closer look inside the Internet-connected infrastructure behind the Liberty Front Press Network and offer practical and relevant information including actionable intelligence on its Internet-connected infrastructure including the individuals behind it. Sample screenshot of various related domain name registrations using WhoisXML API’s and Maltego’s IntegrationRelated domains known to have been currently registered using the same registrant email addresses part of the Liberty Front Press Network Internet-connected infrastructure:syriact-sy[.]comdarfikr[.]netaminbaik[.]comaminelzeintrading[.]comkhamenaei[.]comshaghaaf[.]comapp-line[.]iralzouzougroup[.]comtrustmiddleeast[.]comraha-travel[.]commg-sy[.]comsinasibsalamat[.]comansar-allah[.]comaletthadnews-iq[.]orgasiaquran[.]compayamkherad[.]comalavitile[.]commohseny[.]orgfarhang-press[.]commoshaver-sanati[.]irnsafari[.]irbpaorg[.]compayamekherad[.]comgoshayesh[.]orgwalifaqih[.]comislamwilayah[.]comwalifaqih[.]infoRelated malicious and fraudulent domains known to have been historically registered using the same email addresses:nilenetonline[.]organsaroallah[.]orghajez-sy[.]infosyriaalhadath[.]orgalwaienews[.]netsyriaalhadath[.]comalwaght[.]netalwaienews[.]comansaroallah[.]netansaroallah[.]infofarhang-press[.]comnavidplast[.]iriauaf[.]irnsafari[.]irsokhanetarikh[.]comaf[.]glmohajeronline[.]iryosin[.]orgmohajeronline[.]orgafghanistanema[.]iriranindia[.]orgimenhost[.]orgiuvmdaily[.]netiuvmdaily[.]comarab-now[.]comaleppospace[.]comharbi-media[.]comehsan-sy[.]orgtruemedia-sy[.]comsyria-victory[.]comscope-photos[.]comu-roqayya[.]comaminbaik[.]comfuratorder[.]comalzouzougroup[.]comdarfikr[.]nettrustmiddleeast[.]neteset-sy[.]comdarfikr[.]comsyriact-sy[.]comsouqsyria[.]comalameensupport[.]comait-sy[.]comshaghaaf[.]comapp-line[.]irafghanfeed[.]comatlaspress[.]orgroushd[.]comhaghline[.]comfaryadmag[.]combarchinews[.]compashtunews[.]comreachpage[.]irdarinews[.]comraha-travel[.]comsinasibsalamat[.]comwalifaqih[.]comtitisan[.]nethpiiran[.]comtitisan[.]orgwalifaqih[.]orgislamwilayah[.]commediaadil[.]comsyiahahlilbait[.]comsaintshepherd[.]comwalifaqih[.]infonewsaktual[.]comhajez-sy[.]comansar-allah[.]comonline-traveler[.]comSample responding IPs for some of the domains known to have been historically registered using the same email addresses:5[.]220[.]32[.]26104[.]31[.]90[.]232172[.]67[.]218[.]252185[.]202[.]92[.]26104[.]21[.]6[.]144104[.]28[.]15[.]223104[.]31[.]91[.]232104[.]27[.]191[.]22172[.]245[.]14[.]202172[.]67[.]155[.]39104[.]27[.]190[.]22104[.]21[.]11[.]89104[.]28[.]14[.]223199[.]59[.]242[.]150188[.]0[.]245[.]26172[.]67[.]165[.]178104[.]18[.]63[.]141104[.]27[.]174[.]61104[.]27[.]175[.]61104[.]31[.]95[.]165104[.]31[.]94[.]16595[.]217[.]63[.]156185[.]88[.]178[.]10494[.]130[.]129[.]4795[.]216[.]246[.]23246[.]166[.]182[.]56108[.]59[.]12[.]100198[.]71[.]232[.]3108[.]61[.]19[.]1218[.]197[.]248[.]23199[.]115[.]115[.]102172[.]93[.]194[.]60192[.]155[.]108[.]158199[.]115[.]115[.]119108[.]59[.]12[.]9846[.]166[.]182[.]5552[.]59[.]120[.]70108[.]59[.]12[.]101217[.]182[.]208[.]1085[.]79[.]68[.]109162[.]210[.]195[.]12346[.]166[.]182[.]5263[.]143[.]32[.]94172[.]93[.]194[.]61184[.]168[.]221[.]34108[.]61[.]19[.]1352[.]11[.]10[.]9052[.]40[.]118[.]22544[.]229[.]223[.]7434[.]211[.]213[.]227167[.]99[.]26[.]105185[.]26[.]105[.]24434[.]208[.]93[.]14852[.]43[.]21[.]052[.]8[.]174[.]6850[.]112[.]29[.]18934[.]214[.]135[.]4150[.]112[.]46[.]434[.]211[.]118[.]203209[.]251[.]26[.]166172[.]67[.]145[.]16679[.]143[.]85[.]44104[.]21[.]73[.]14688[.]198[.]13[.]8646[.]4[.]6[.]184104[.]18[.]40[.]203104[.]18[.]41[.]203172[.]67[.]131[.]105104[.]21[.]4[.]3138[.]201[.]142[.]15078[.]47[.]230[.]139104[.]27[.]154[.]187172[.]67[.]176[.]84104[.]27[.]155[.]187198[.]38[.]82[.]90127[.]0[.]0[.]1216[.]104[.]165[.]72209[.]251[.]26[.]169172[.]67[.]133[.]177104[.]21[.]5[.]179173[.]45[.]114[.]24104[.]28[.]12[.]91209[.]251[.]26[.]164104[.]28[.]13[.]91104[.]31[.]77[.]25347[.]91[.]170[.]222185[.]53[.]177[.]20104[.]31[.]76[.]253176[.]9[.]79[.]9188[.]198[.]56[.]139104[.]18[.]47[.]243104[.]18[.]46[.]243185[.]87[.]187[.]19852[.]213[.]114[.]86104[.]28[.]25[.]112212[.]83[.]172[.]150104[.]21[.]6[.]168172[.]67[.]135[.]11176[.]9[.]29[.]165104[.]28[.]24[.]112144[.]91[.]104[.]18134[.]102[.]136[.]18062[.]171[.]177[.]42192[.]64[.]10[.]106216[.]104[.]165[.]3216[.]104[.]165[.]2208[.]67[.]23[.]136208[.]67[.]23[.]10134[.]224[.]160[.]149216[.]104[.]165[.]9072[.]1[.]32[.]168162[.]210[.]196[.]16737[.]48[.]65[.]15237[.]48[.]65[.]15437[.]48[.]65[.]155216[.]104[.]165[.]30109[.]201[.]135[.]45104[.]18[.]34[.]1055[.]79[.]68[.]107162[.]210[.]196[.]168199[.]115[.]116[.]216172[.]98[.]192[.]37104[.]21[.]88[.]4237[.]48[.]65[.]153172[.]67[.]172[.]76104[.]18[.]35[.]105172[.]67[.]208[.]182104[.]24[.]118[.]67208[.]91[.]197[.]46104[.]31[.]83[.]28172[.]67[.]152[.]252104[.]31[.]82[.]28104[.]21[.]49[.]222104[.]24[.]109[.]208104[.]24[.]108[.]208199[.]115[.]116[.]162162[.]210[.]196[.]17394[.]229[.]72[.]117104[.]21[.]51[.]13394[.]229[.]72[.]11595[.]211[.]187[.]100162[.]210[.]196[.]171188[.]165[.]44[.]21894[.]229[.]72[.]116104[.]24[.]119[.]6794[.]229[.]72[.]120216[.]104[.]165[.]12162[.]210[.]196[.]172104[.]28[.]30[.]7394[.]229[.]72[.]118172[.]67[.]180[.]16094[.]229[.]72[.]124104[.]24[.]97[.]17194[.]229[.]72[.]123104[.]24[.]96[.]171144[.]76[.]32[.]148104[.]28[.]31[.]73148[.]251[.]1[.]71109[.]201[.]135[.]71185[.]208[.]173[.]3109[.]201[.]135[.]3954[.]38[.]220[.]8596[.]47[.]230[.]67151[.]106[.]5[.]168108[.]61[.]19[.]11192[.]155[.]108[.]153162[.]210[.]196[.]166109[.]201[.]135[.]46151[.]106[.]5[.]173192[.]155[.]108[.]156151[.]106[.]5[.]165192[.]155[.]108[.]150151[.]106[.]5[.]164104[.]21[.]32[.]133172[.]67[.]152[.]55172[.]67[.]187[.]82104[.]21[.]72[.]204104[.]27[.]149[.]153104[.]27[.]148[.]153207[.]244[.]67[.]218208[.]67[.]16[.]254151[.]106[.]5[.]169192[.]155[.]108[.]15237[.]48[.]65[.]149151[.]106[.]5[.]170151[.]106[.]5[.]167192[.]155[.]108[.]151151[.]106[.]5[.]16337[.]48[.]65[.]150192[.]155[.]108[.]149192[.]155[.]108[.]15437[.]48[.]65[.]151192[.]155[.]108[.]147151[.]106[.]5[.]166151[.]106[.]5[.]174209[.]99[.]40[.]222156[.]67[.]211[.]180213[.]247[.]47[.]190104[.]31[.]82[.]19104[.]31[.]83[.]19104[.]247[.]81[.]1034[.]98[.]99[.]30173[.]239[.]8[.]164173[.]239[.]5[.]646[.]166[.]184[.]102104[.]247[.]82[.]1091[.]195[.]240[.]117176[.]9[.]85[.]197185[.]53[.]179[.]7185[.]206[.]180[.]123185[.]53[.]178[.]10192[.]99[.]147[.]163107[.]150[.]52[.]242104[.]21[.]40[.]221104[.]18[.]49[.]253174[.]120[.]70[.]159172[.]67[.]157[.]38151[.]106[.]5[.]172208[.]67[.]23[.]31104[.]18[.]48[.]253192[.]155[.]108[.]157104[.]21[.]6[.]16066[.]152[.]163[.]75104[.]28[.]9[.]112172[.]67[.]135[.]3209[.]99[.]40[.]220192[.]155[.]108[.]15549[.]128[.]177[.]81156[.]67[.]211[.]189207[.]244[.]67[.]138109[.]201[.]135[.]6537[.]48[.]65[.]148104[.]28[.]8[.]1125[.]79[.]68[.]110104[.]28[.]21[.]230104[.]27[.]177[.]28172[.]67[.]154[.]209172[.]67[.]218[.]104208[.]67[.]23[.]36104[.]27[.]176[.]28104[.]21[.]6[.]86104[.]31[.]66[.]144104[.]21[.]10[.]32104[.]28[.]20[.]230172[.]67[.]189[.]22551[.]89[.]88[.]96104[.]31[.]67[.]14469[.]172[.]201[.]15369[.]172[.]201[.]20846[.]166[.]184[.]10452[.]128[.]23[.]15378[.]46[.]102[.]123176[.]9[.]43[.]40173[.]208[.]153[.]250174[.]128[.]248[.]231149[.]56[.]147[.]3988[.]198[.]48[.]179144[.]76[.]140[.]66150[.]95[.]255[.]38184[.]168[.]221[.]43104[.]28[.]15[.]51104[.]28[.]14[.]51202[.]150[.]213[.]60156[.]67[.]209[.]1585[.]159[.]233[.]35192[.]155[.]108[.]148104[.]27[.]130[.]254104[.]31[.]94[.]4154[.]92[.]251[.]72104[.]27[.]131[.]254104[.]21[.]75[.]92104[.]27[.]146[.]35104[.]21[.]39[.]77104[.]27[.]147[.]3585[.]159[.]233[.]60104[.]237[.]196[.]117207[.]244[.]67[.]214104[.]24[.]118[.]189104[.]24[.]119[.]189104[.]18[.]40[.]905[.]9[.]96[.]104136[.]243[.]19[.]695[.]216[.]77[.]5192[.]99[.]92[.]2172[.]67[.]217[.]163176[.]31[.]51[.]15451[.]254[.]232[.]56104[.]18[.]41[.]9054[.]37[.]218[.]50172[.]67[.]143[.]200209[.]251[.]26[.]162104[.]27[.]154[.]78172[.]67[.]206[.]116184[.]168[.]221[.]59104[.]27[.]155[.]78104[.]21[.]77[.]94We’ll continue monitoring the campaign and post updates as soon as new developments take place.Stay tuned!
Categories: Security Posts

Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis


Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021. We’ve decided to take a closer look at the U.S Elecetion 2016 interference provoked by several spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign potentially assisting fellow researchers and Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.In this analysis we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical and relevant including actionable threat intelligence on their whereabouts.Sample malicious and fraudulent C&C domains known to have participated in the U.S Elections 2016 campaign:linuxkrnl[.]netaccounts-qooqle[.]comaccount-gooogle[.]comaccoounts-google[.]comaccount-yahoo[.]comaccounts-googlc[.]comaccoutns-google[.]comaddmereger[.]comakamainet[.]netakamaivirusscan[.]comapple-icloud-services[.]comapple-notification[.]comarabianbusinessreport[.]comazamtelecom[.]combabylonn[.]combaengmail[.]comboobleg[.]comchinainternetservices[.]comcom-hdkurknfkjdnkrnngujdknhgfr[.]comcombin-banska-stiavnica[.]comcvk-leaks[.]comfb-security[.]comg00qle[.]comglobal-exchange[.]netgooglesetting[.]comhlbnk[.]comhomesecuritysystems-sale[.]comicloud-localisation[.]comimperialc0nsult[.]cominformationen24[.]cominterglobalswiss[.]comintra-asiarisk[.]cominvest-sro[.]comiphone-onlineshopping[.]netkur4[.]comlastdmp[.]comlocalisation-apple-icloud[.]comlocalisation-apple-support[.]comlocalisation-mail[.]comlogin-163[.]comlogin-kundenservice[.]commagic-exchange[.]commail-apple-icloud[.]commailpho[.]commalprosoft[.]commedicalalertgroup[.]commegafileuploader[.]commfadaily[.]commfapress[.]commilitaryexponews[.]commsoftonline[.]commyaccountgoogle[.]commyaccountsgoogle[.]commydomainlookup[.]netmypmpcert[.]comnet-a-porter-coupon[.]comnewiphone-online[.]netnewiphone-supply[.]netnewreviewgames[.]comnobel-labs[.]netnvidiaupdate[.]comobamacarerx[.]netonlinecsportal[.]compass-google[.]compassword-google[.]compaydaytoday-uk[.]compb-forum[.]complanetaryprogeneration[.]comregionoline[.]comsecurity-notifications[.]comservice-facebook[.]comservicesupdates[.]comset121[.]comset132[.]comset133[.]comsicherheitsteam-pp[.]comsicherheitsteam-pp[.]netskypeupdate[.]comsmp-cz[.]comsoft-storage[.]comsolutionmanualtestbank[.]comssl-icloud[.]comteam-google[.]comtechlicenses[.]comtechlicenses[.]netua-freedom[.]comupdates-verify[.]comus-mg7mail-transferservice[.]comus-westmail-undeliversystem[.]comus6-yahoo[.]comvatlcan[.]comwordpressjointventure[.]comya-support[.]comyandex-site[.]comyepost[.]comRelated malicious and fraudulent emails known to have participated in the U[.]S Elections 2016 campaign:julienobruno@hotmail[.]comjenna[.]stehr@mail[.]coms[.]simonis@mail[.]comdomreg@247livesupport[.]bizkumarhpt@yahoo[.]comaksnes[.]thomas@yahoo[.]comyingw90@yahoo[.]comandre_roy@mail[.]commyprimaryreger@gmail[.]comokorsukov@yahoo[.]comtzubtfpx5@mail[.]ruannaablony@mail[.]comjamesyip823@gmail[.]comtmazaker@gmail[.]comemmer[.]brown@mail[.]comqupton@mail[.]comadel[.]rice@mail[.]comtrainerkart2@gmail[.]comcowrob@mail[.]comdirect2playstore@gmail[.]comcffaccll@mail[.]comdrgtradingllc@gmail[.]comjack2020@outlook[.]compdkt00@Safe-mail[.]netdavid_thompson62@aol[.]comdistardrupp@gmail[.]comperplencorp@gmail[.]comspammer11@superrito[.]comjilberaner@yahoo[.]desnowyowl@jpnsec[.]comasainchuk@gmail[.]comOKEKECHIDIC@GMAIL[.]COMabelinmarcel@outlook[.]fridesk[.]corp[.]apple[.]com@gmail[.]commutantcode@outlook[.]frpier@pipimerah[.]comvrickson@mail[.]comprabhakar_malreddy@yahoo[.]comSample related email known to have participated in the U[.]S Elections 2016 campaign:jack2020@outlook[.]comSample Maltego Graph of a sample malicious and fraudulent domain registrant known to have participated in the U.S Election 2016 campaign:Sample related domains known to have participated in the U.S Elections 2016 campaign:support-forum[.]orgoceaninformation[.]orgvodafoneupdate[.]orgsuccourtion[.]orgeascd[.]orgnorthropgruman[.]orgapple-iphone-services[.]comlocalisation-security-icloud[.]comapplesecurity-supporticloud[.]comicloud-iphone-services[.]comicloud-id-localisation[.]comapple-localisation-id[.]comidentification-icloud-id[.]comcloud-id-localisation[.]comsupport-security-icloud[.]comidentification-apple-id[.]comlocalisation-apple-security[.]comsecurity-icloud-localisation[.]comdabocom[.]comquick-exchange[.]comhygani[.]comhztx88[.]comsddqgs[.]netqufu001[.]comlutushiqi[.]comgsctgs[.]comtazehong[.]comhthgj[.]comkvistberga[.]combjytj[.]netcqhuicang[.]comsoftbank-tech[.]comosce-press[.]orgmaxidea[.]twsdti[.]twgmailcom[.]twzex[.]twgain-paris-notaire[.]frloto-fdj[.]frclient-amzon[.]fridse-orange[.]frrgraduzkfghgd[.]comjmhgjqtmhanoncp[.]comstwdchstclovuzk[.]compuxqtyrwzuzybgzehc[.]commaatil[.]com[.]ngsurestbookings[.]comasatuyouth[.]org[.]nghanna[.]nghostlink[.]com[.]ngsirbenlimited[.]comdce[.]edu[.]ngeventsms[.]com[.]ngkrsbczmxwdsjwtizmx[.]comalizirwzyjazurof[.]comzslipanehule[.]comcxotonspmjkxw[.]comwpifmhyjkxyt[.]comngvsngpwdidmn[.]comimperialvillas[.]com[.]nglipyhgpofsnifste[.]comflexceeweb[.]comfgfcpkdcnebgduls[.]comshinjiru[.]ussupportchannel[.]netcouponofferte[.]compsepaperindustrial[.]comlakws[.]comperplencorp[.]comlbchemtrade[.]comviaggibelli[.]comliontitco[.]comsvendiamo[.]comorogenicgroup[.]comgiudeviaggio[.]comgreenskill[.]netsiteseditor[.]nete-mail-supports[.]combiplen[.]cominfradesajohor[.]comdealhot[.]netsuanmin[.]comon9on9[.]comaccoutns-google[.]compuroniq[.]comsinqa[.]comsadihadi[.]commrangkang[.]comterumbu[.]comphygitail[.]comveraniq[.]compotxr[.]comicraw[.]comthearoid[.]comteempo[.]comparblue[.]commydomainlookup[.]netadrianvonziegler[.]netzetindustries[.]comresearchs[.]com[.]ngjoymoontech[.]comresearchmaterials[.]com[.]ngjames823[.]comoneibeauty[.]netWe’ll continue monitoring the campaign and post updates as soon as new developments take place.Stay tuned!
Categories: Security Posts

Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis

Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021.We’ve decided to take a closer look at the current and historical domain portfolio managed and operated by members of Iran’s Ashiyane Digital Security Team using Maltego in combination with WhoisXML API’s integration for the purpose of providing actionable threat intelligence including to assist fellow researchers vendors and organization on their way to track down and monitor the Internet connected infrastructure of key members of Iran’s Ashiyane Digital Security Team for the purpose of monitoring it and attempting to take it offline.In this article we’ll provide actionable intelligence on some of the currently active domains managed run and operated by Iran’s Ashiyane Digital Security Team with the idea to assist fellow researchers vendors and organizations on their way to track down and monitor the infrastructure managed run and operated by Iran’s Ashiyane Digital Security Team.A list of currently active domain portfolio known to be managed and operated by members of Iran’s Ashiyane Digital Security Team:life-guard[.]irsepahan-trans[.]irkashanit[.]irwebsazangroup[.]irnamvarnameybastan[.]irashiyane-ads[.]comtamamkar-chalous[.]irpadidehafagh[.]compadideafagh[.]combahmanshahreza[.]comvatanpaydar[.]compkpersian[.]netxn--wgba3di6y7p[.]comjonoobhost[.]netmahmoudbahmani[.]irpiremehr[.]irshahrepars[.]ir3diamond[.]irmhdcard[.]comashiyanecrm[.]comtabta2[.]comashiyane-bot[.]irprojejob[.]irrizone[.]iriedb[.]irunmobile[.]irrazmaraa[.]irtabrizigold[.]irgalleryfirozeh[.]irforoozanborj[.]irunicornart[.]irrahnamayeiran[.]iriranhack[.]irshomalbeauty[.]irandishehig[.]irmeelk[.]irtamamkar-sari[.]irnamehybastan[.]irchemiiran[.]irA list of currently active domain portfolio known to have been registered managed and operated by members of Iran’s Ashiyane Digital Security Team:websazanco[.]irrahnamayeiran[.]irmaz-laa[.]iresnikan[.]irforoozanborj[.]irroyall-shop[.]irashiyane[.]irchemiiran[.]iraccount-yahoo[.]comarshiasanat-babol[.]irashiyane-ads[.]comjahandarco[.]irmomtazbarbari[.]irpouyaandishan-mazand[.]irshomalbeauty[.]irtractorsazi[.]comaleyaasin[.]comfarsmarket[.]comenglishdl[.]comzproje[.]irprojejob[.]irsongdownload[.]irashiyanesms[.]comihybrid[.]usdrsjalili[.]comashiyane[.]orgashiyanecrm[.]comashiyanehost[.]comashiyanex[.]comrasht-samacollege[.]irinstapacks[.]irbahmanshahreza[.]comshaahreza[.]comshahrezanews[.]comtaktaweb[.]netjavannovin[.]compadidehafagh[.]compadideafagh[.]comsahebnews[.]comnasiri[.]infotaktaweb[.]orgbamemar[.]comtalakesht[.]comsepahan-trans[.]iropencart5[.]irrasulsh[.]irkashanit[.]irfacebooktu[.]comlife-guard[.]irpr0grammers[.]irlammer[.]irsepahantrans[.]irfacecode[.]iriranhack[.]orgaryanenergy[.]orgkhsmt-sabzevar[.]comorveh[.]comtipec[.]orgiranhack[.]irshantya3d[.]irrazmaraa[.]irsoroshland[.]irgalleryfirozeh[.]irunicornart[.]irshahrepars[.]ir3diamond[.]irashiyane-bot[.]irmahmoudbahmani[.]irpiremehr[.]irdcligner[.]comtabta2[.]comchipiran[.]orgashiyanebot[.]irbnls[.]irlamroid[.]compersiandutyfree[.]comiran3erver[.]comhivacom[.]comirantwitter[.]compersian-pasargad[.]comchatafg[.]comkasraprofile[.]comgharnict[.]comminachoob[.]comgigmeg[.]comshoka-chat[.]comserajmehr[.]comasrarweb[.]comniazezamuneh[.]comsana-mobile[.]comrizone[.]iriedb[.]irunmobile[.]irprogmans[.]comdesign84u[.]comistgah-salavati[.]comiranhack[.]netshantya3d[.]comkamelannews[.]comrangeshab[.]comdihim[.]comhdphysics[.]comcgsolar[.]netvahidelmi[.]irmaincoretechnology[.]combastanteam[.]comvvfa[.]comIrsecteam[.]orgWe’ll continue to monitor for new domain registrations courtesy of Iran’s Ashiyane Digital Security Team and we’ll post updates as soon as new developments take place.Stay tuned!
Categories: Security Posts
Syndicate content