Sunday, February 22, 2015

Theory: Utilizing Porn Sites to Infect and Gain Access - Gov Connection or Bad Guys?

Over the course of the last few days we have been seeing a ton of traffic being exfiltrated to 101 Ave of the America's, 10th Floor (registrations in Whois and through some other utilities in our stack). When checking these host it appears as though they are mostly porn hosting and cloud computing computers. As we researched more we started finding certificates with strange references to legitimate Government organizations.

Would these people be so stupid to use real certificates on fake sites to collect data from suspects and users. In addition these same nodes are Tor exit nodes meaning that traffic on Tor could be sniffed as it exits the network.

A little more research is needed but it appears as though some of these host are being disquised albeit poorly to look like porn sites and other web servers when in fact their true purpose is not known. One IP that is sticking out in the ordeal is 37.139.6.7. This IP is showing up in all sorts of indicators and is also being picked up by multiple sensors on the Internet as Tor, Malicious, SSH Attacking, etc, etc.

Due to the nature of businesses being attacked from this IP and a few others that we are not currently disclosing it appears as though this is a concerted effort to get into the infrastructure of some heavy industry to include Healthcare, Communications Companies as well as Intelligence providers.

We will be keeping an eye on this and will let you know if anything changes as we are monitoring for any traffic to these host and alerting our SOC to review immediately.

No comments:

Post a Comment