We have decided to open up some of our indicators to the public. We know your monitoring our blog because we regularly look at our visitor stats and we run additional reports so there is interest in what we are doing. In addition starting tomorrow our commercial feeds will be available for paid subscribers. Existing customers under contract will be grandfathered for the duration of their contracts.
For subscription information please visit our labs page for additional information.
The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Thursday, April 30, 2015
Today's Mass Activity
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:25:09 2015-04-30 19:25:09 1
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:25:22 2015-04-30 19:25:22 1
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:25:40 2015-04-30 19:25:40 1
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:06 2015-04-30 19:26:06 2
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:33 2015-04-30 19:26:33 2
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:59 2015-04-30 19:26:59 3
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:27:28 2015-04-30 19:27:28 3
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:27:55 2015-04-30 19:27:55 4
test 189.123.80.40 system smtp 2015-04-30 18:21:23 2015-05-01 00:21:23 297
test 189.123.80.40 system smtp 2015-04-30 18:24:43 2015-05-01 00:24:43 300
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:25:22 2015-04-30 19:25:22 1
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:25:40 2015-04-30 19:25:40 1
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:06 2015-04-30 19:26:06 2
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:33 2015-04-30 19:26:33 2
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:26:59 2015-04-30 19:26:59 3
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:27:28 2015-04-30 19:27:28 3
redacted-customer 94.43.226.251 system smtp 2015-04-30 13:27:55 2015-04-30 19:27:55 4
test 189.123.80.40 system smtp 2015-04-30 18:21:23 2015-05-01 00:21:23 297
test 189.123.80.40 system smtp 2015-04-30 18:24:43 2015-05-01 00:24:43 300
BREACH: UC Berkeley Breached Again... Or still depending on your perspective...
We are honestly tired of reporting on this one. We let them know about problems at least twice and I'm pretty sure the folks at databreache's have also notified them. It seems they just can't get things in order...
A look at our database shows they have been compromised for AWHILE:
April 28th 2015, 22:07:28.862 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:07:28.696 slcsecurity-iocs UC Berkeley
April 28th 2015, 22:06:03.228 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:06:03.047 slcsecurity-iocs UC Berkeley
April 28th 2015, 22:05:45.521 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:05:45.315 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:12:28.252 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:12:27.279 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:09:34.675 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:09:34.501 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:08:00.276 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:08:00.102 slcsecurity-iocs UC Berkeley
April 22nd 2015, 19:27:10.387 slcsecurity-iocs UC CAMPUS BERKELEY
April 22nd 2015, 19:27:09.456 slcsecurity-iocs UC Berkeley
April 21st 2015, 03:12:13.399 slcsecurity-iocs UC CAMPUS BERKELEY
April 21st 2015, 03:12:13.094 slcsecurity-iocs UC Berkeley
April 21st 2015, 01:48:49.009 slcsecurity-iocs UC CAMPUS BERKELEY
April 21st 2015, 01:48:48.507 slcsecurity-iocs UC Berkeley
April 20th 2015, 13:28:05.076 slcsecurity-iocs UC CAMPUS BERKELEY
April 20th 2015, 13:28:04.916 slcsecurity-iocs UC Berkeley
April 19th 2015, 17:34:39.514 slcsecurity-iocs UC CAMPUS BERKELEY
April 19th 2015, 17:34:37.859 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:18:27.701 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:18:27.536 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:18:09.489 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:18:09.340 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:17:49.376 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:17:49.216 slcsecurity-iocs UC Berkeley
April 16th 2015, 12:06:35.424 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 12:06:35.247 slcsecurity-iocs UC Berkeley
April 16th 2015, 11:58:36.116 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 11:58:33.307 slcsecurity-iocs UC Berkeley
April 16th 2015, 01:34:21.163 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 01:34:20.078 slcsecurity-iocs UC Berkeley
April 14th 2015, 14:44:45.261 slcsecurity-iocs UC CAMPUS BERKELEY
April 14th 2015, 14:44:44.912 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:27:40.384 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:27:39.068 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:14:12.002 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:14:11.830 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:08:50.339 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:08:49.834 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:58:17.976 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:58:17.803 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:57:14.625 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:57:14.390 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:55:54.768 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:55:54.327 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:50:57.217 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:50:55.666 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:50:01.878 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:50:00.428 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:43:28.333 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:43:28.068 slcsecurity-iocs UC Berkeley
This is the latest incident. Previously activity was seen back in January and February but then they were removed due to cleaning the infected systems. Now they are back in the system again...
We will continue to monitor.
A look at our database shows they have been compromised for AWHILE:
April 28th 2015, 22:07:28.862 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:07:28.696 slcsecurity-iocs UC Berkeley
April 28th 2015, 22:06:03.228 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:06:03.047 slcsecurity-iocs UC Berkeley
April 28th 2015, 22:05:45.521 slcsecurity-iocs UC CAMPUS BERKELEY
April 28th 2015, 22:05:45.315 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:12:28.252 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:12:27.279 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:09:34.675 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:09:34.501 slcsecurity-iocs UC Berkeley
April 25th 2015, 21:08:00.276 slcsecurity-iocs UC CAMPUS BERKELEY
April 25th 2015, 21:08:00.102 slcsecurity-iocs UC Berkeley
April 22nd 2015, 19:27:10.387 slcsecurity-iocs UC CAMPUS BERKELEY
April 22nd 2015, 19:27:09.456 slcsecurity-iocs UC Berkeley
April 21st 2015, 03:12:13.399 slcsecurity-iocs UC CAMPUS BERKELEY
April 21st 2015, 03:12:13.094 slcsecurity-iocs UC Berkeley
April 21st 2015, 01:48:49.009 slcsecurity-iocs UC CAMPUS BERKELEY
April 21st 2015, 01:48:48.507 slcsecurity-iocs UC Berkeley
April 20th 2015, 13:28:05.076 slcsecurity-iocs UC CAMPUS BERKELEY
April 20th 2015, 13:28:04.916 slcsecurity-iocs UC Berkeley
April 19th 2015, 17:34:39.514 slcsecurity-iocs UC CAMPUS BERKELEY
April 19th 2015, 17:34:37.859 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:18:27.701 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:18:27.536 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:18:09.489 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:18:09.340 slcsecurity-iocs UC Berkeley
April 18th 2015, 21:17:49.376 slcsecurity-iocs UC CAMPUS BERKELEY
April 18th 2015, 21:17:49.216 slcsecurity-iocs UC Berkeley
April 16th 2015, 12:06:35.424 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 12:06:35.247 slcsecurity-iocs UC Berkeley
April 16th 2015, 11:58:36.116 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 11:58:33.307 slcsecurity-iocs UC Berkeley
April 16th 2015, 01:34:21.163 slcsecurity-iocs UC CAMPUS BERKELEY
April 16th 2015, 01:34:20.078 slcsecurity-iocs UC Berkeley
April 14th 2015, 14:44:45.261 slcsecurity-iocs UC CAMPUS BERKELEY
April 14th 2015, 14:44:44.912 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:27:40.384 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:27:39.068 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:14:12.002 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:14:11.830 slcsecurity-iocs UC Berkeley
April 13th 2015, 17:08:50.339 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 17:08:49.834 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:58:17.976 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:58:17.803 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:57:14.625 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:57:14.390 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:55:54.768 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:55:54.327 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:50:57.217 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:50:55.666 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:50:01.878 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:50:00.428 slcsecurity-iocs UC Berkeley
April 13th 2015, 16:43:28.333 slcsecurity-iocs UC CAMPUS BERKELEY
April 13th 2015, 16:43:28.068 slcsecurity-iocs UC Berkeley
This is the latest incident. Previously activity was seen back in January and February but then they were removed due to cleaning the infected systems. Now they are back in the system again...
We will continue to monitor.
BREACH: Partners Healthcare System
Databreaches.net is reporting that Partners Healthcare System has reported that they have been the target of a phishing campaign. For more information see the original post here.
BREACH: DeCicco & Sons grocery store suffers data breach
A popular New York supermarket chain is reporting that customer payment card information has been compromised. Customers began noticing out of state charges on their credit cards shortly after shopping at the chain.
Tuesday, April 28, 2015
EARLIER REPORT CONFIRMED: See Mailing List for POS Malware Post
Subscribe to our news feeds mailing list for specifics on a new POS Malware variant that we have tied to an earlier attack we detected in late March. The IP of that attack was 80.82.64.201 and since we are noting carding and Point of Sales malware activity to this address.
This is the same post that angered many security professionals but as you can see in a recent Government investigations that the incident has been confirmed. In addition specific IOC's for the POS malware were released and specifically named the IP address listed in our previous post.
This is the same post that angered many security professionals but as you can see in a recent Government investigations that the incident has been confirmed. In addition specific IOC's for the POS malware were released and specifically named the IP address listed in our previous post.
Saturday, April 25, 2015
Malicious Activity: University of Pennsylvania
On 4/25/2015 SLC Security Services LLC has notified University of Pennsylvania of a security issue with some host on their network. We will advise if we receive any response concerning the issue.
Malicious Activity: Harvard University
On 4/25/2015 SLC Security Services LLC has notified Harvard of a security issue with some host on their network. We will advise if we receive any response concerning the issue.
Wednesday, April 22, 2015
SLC Security to Open Source ElasticMon
SLC Security Services LLC as part of our security operations model has announced the release of a Windows based console for monitoring elasticsearch instances for relevant security data. The platform will be posted to Github within the next few days and will allow features such as external command processing, plugin integration that will allow security engineers to kick off jobs in analytics products and to pivot and cross reference IOC data in near real time.
As a side benefit to opening up the product to the open source community we are hoping that other users of this technology will also integrate with the platform due to the native support for standards that include CSV, STIX,XML and native nosql blob output as well as SIEM integration.
Look for it folks we think you'll like it.
Tuesday, April 21, 2015
POSSIBLY BREACHED AGAIN: Univ of Utah - Are you guys still owned? Looks like it!
Looks like they still are having issues. While they haven't noted any breaches we are pretty sure from what we have been seeing on our systems and sensors that they have an issue.
UPDATE: Within minutes of the report the University of Utah has begun the process to research this issue. Apparently this system is a research VM on their campus network.
ALERT: 43.255.0.0/16 Netblock Extremely Active and Noisy
We wanted to put out an alert that many of our sensors and clients are reporting inbound SMTP infected dyzera and ssh scanning. What's interesting is that the actors appears to not care how noisy they are. We highly recommend blocking the entire /16 netblock.
Monday, April 20, 2015
Dyre Hit - Bowling Green Municipal Utilities
We received several Dyre infected email messages originating from the Bowling Green Municipal Utilities specifically from 208.80.211.35 IP address over the last few days.
Sunday, April 19, 2015
BREACH: HSBC Finance Notifies Mortgage Customers of Data Breach
HSBC has informed New Hampshire's Attorney
General of a compromise of some records of current and former mortgage
customers of its HSBC Finance unit. HSBC Finance is a nonbank lender,
formerly known as Household Finance, that HSBC bought in 2003. The bank
is in the process of winding it down.
SOURCE: http://www.americanbanker.com/news/bank-technology/hsbc-finance-notifies-mortgage-customers-of-data-breach-1073803-1.html
SOURCE: http://www.americanbanker.com/news/bank-technology/hsbc-finance-notifies-mortgage-customers-of-data-breach-1073803-1.html
Saturday, April 18, 2015
What we have seen in the last 24 hours
Our analyst have noted the following attacks in the last 24 hours. We are tracking 311,510 attacks on our sensors. Out of our sensors we noted that 6 financial organizations have been compromised, 12 sites were infected with spyware, 4 medical institutions were compromised, 613 banks were attacked but we saw no new compromises in the banking sector, 9 research organizations were seen attacking other infrastructure, there were a total of 57 new attackers identified in the last 24 hours.
Friday, April 17, 2015
20 Years Later SSH Brute Force Persist
For the past few weeks I have been looking at an old issue. You see in 1995 I started an Internet Service and as soon as I started bringing servers online I noted that there were random ssh login attempts to our systems. Back then it was easy to block IP addresses and be done with it but it's not that cut and dry today. With natting, apache name directives and web server naming conventions a single IP address can host thousands of individual websites and the chances of blocking a legitimate service is pretty high but guess what? We don't care.
We have taken the stance that if we see your boxes behaving badly and your not taking any action to resolve the situation then we will block you from our systems and all systems that we manage. A quick check our our system indicates that we have 57 million indicators of attack or compromise. When we filter with ssh as a keyword we noted that 255,096 host are currently on our blacklist for ssh brute force attempts and another 2.7 million are on the alert list for scanning. The 255,096 number may look small on the scale of things but the originating sources are very interesting in deed.
The majority of the scanning activity being seen is coming from some predictable locations to include Asia/China, Russia and some locations in South America. In fact 79% of the attacks on our sensors are from the listed locations.
Our top 5 locations seen brute forcing ssh accounts this past week:
1. China
2. Russia
3. Amsterdam
4. Valenzuela
5. Turkey
What's interesting is that the attacks are noisy and easily detected yet many network administrators continue to allow traffic from these locations. In an upcoming post we will be sharing a list of country blocks that should eliminate around 95% of the ssh scanning activity you will see on your networks.
One things for sure, ssh scanning will be here for many, many years to come. A solution is to eliminate interactive logins and utilize certificate based login. This method allows you to collect information and be fairly certain that your systems won't be attacked in this manner. Adding 2 factor authentication pretty much ensures that nobody will get by your ssh defense.
We have taken the stance that if we see your boxes behaving badly and your not taking any action to resolve the situation then we will block you from our systems and all systems that we manage. A quick check our our system indicates that we have 57 million indicators of attack or compromise. When we filter with ssh as a keyword we noted that 255,096 host are currently on our blacklist for ssh brute force attempts and another 2.7 million are on the alert list for scanning. The 255,096 number may look small on the scale of things but the originating sources are very interesting in deed.
The majority of the scanning activity being seen is coming from some predictable locations to include Asia/China, Russia and some locations in South America. In fact 79% of the attacks on our sensors are from the listed locations.
Our top 5 locations seen brute forcing ssh accounts this past week:
1. China
2. Russia
3. Amsterdam
4. Valenzuela
5. Turkey
What's interesting is that the attacks are noisy and easily detected yet many network administrators continue to allow traffic from these locations. In an upcoming post we will be sharing a list of country blocks that should eliminate around 95% of the ssh scanning activity you will see on your networks.
One things for sure, ssh scanning will be here for many, many years to come. A solution is to eliminate interactive logins and utilize certificate based login. This method allows you to collect information and be fairly certain that your systems won't be attacked in this manner. Adding 2 factor authentication pretty much ensures that nobody will get by your ssh defense.
Monday, April 13, 2015
Today's Attacks - Note the uptick in attacks from proxy servers
We are seeing a spike in attacks originating from proxy servers today. It seems that some recent post on some vulnerabilities at Universities and Campuses is fueling an attack frenzy. You can read Data Breaches post on the activity here. In addition we are seeing some attacks that are targeting medical facilities as well. This activity started around 4PM EST earlier today.
Very soon we will be opening up our data sources to researchers so if you are on our research team or a trusted partner look for an email from the SOC with your login instructions.
Sunday, April 12, 2015
SPECIAL REPORT: The French Espionage Report
A special report is set for release this week. The report is only available to subscribers. We will take a detailed look at recent malware including Casper and some other very interesting findings that were recently discovered.
Friday, April 10, 2015
REPORT: Jefferson County Public Library (Active Hacking)
We have been monitoring activity on our sensors from Jefferson County Public Library from IP 199.117.70.6 most of the evening. The attacks are happening at multiple sensor locations to include Chicago and Texas as well as a sensor in the EU.
We have actively blocked this attacker in our customer systems and will update if we receive any additional information.
We have actively blocked this attacker in our customer systems and will update if we receive any additional information.
Wednesday, April 8, 2015
BREACH: Hackers who breached White House network allegedly accessed sensitive data
Russian-government hackers who reportedly breached the White House's
computer systems late last year gained access to sensitive information,
though US officials said at the time that they hadn't, according to a
story published Tuesday by CNN.
Sources:
http://www.cnet.com/news/hackers-who-breached-white-house-network-allegedly-accessed-sensitive-data/
Sources:
http://www.cnet.com/news/hackers-who-breached-white-house-network-allegedly-accessed-sensitive-data/
Tuesday, April 7, 2015
THEFT OF INFORMATION: UC Riverside
UC Riverside officials are notifying 8,000 graduate students and graduate applicants that their personal identity information is at risk.
A desk-top computer stolen during a break-in at the campus’ graduate division offices March 13, contained the Social Security numbers of the students and potential students. Officials said they had no evidence that the information has been used for identity theft and they have no leads on who stole the computer.
SOURCE: http://www.pe.com/articles/information-764066-computer-lovekin.html
Monday, April 6, 2015
NEWS: FBI investigating two St Louis area attacks as hate crimes
The FBI is investigating whether hate crimes were committed during two St. Louis area attacks where suspects allegedly made reference to Ferguson, including the assault of former St. Louis Cardinals outfielder Curt Ford, investigators said Monday.
Both attacks happened in March, one involving a white victim and black attackers, the other a black victim attacked by a white man. The suspects in both cases allegedly made references to Ferguson, the St. Louis suburb at the center of racial strife since a white police officer in August fatally shot 18-year-old Michael Brown, who was black and unarmed.
FBI spokeswoman Rebecca Wu said the agency is looking into both cases for possible hate crimes. Anyone found guilty of a federal hate crime involving bodily injury could face up to 10 years in prison.
Both attacks happened in March, one involving a white victim and black attackers, the other a black victim attacked by a white man. The suspects in both cases allegedly made references to Ferguson, the St. Louis suburb at the center of racial strife since a white police officer in August fatally shot 18-year-old Michael Brown, who was black and unarmed.
FBI spokeswoman Rebecca Wu said the agency is looking into both cases for possible hate crimes. Anyone found guilty of a federal hate crime involving bodily injury could face up to 10 years in prison.
RECENT BRUTE FORCERS: You are blocking these right?!
121.14.5.125,ssh-brute-force,2015-04-06
218.87.111.110,ssh-brute-force,2015-04-06
43.255.191.164,ssh-brute-force,2015-04-06
37.132.67.140,ssh-brute-force,2015-04-06
218.87.111.108,ssh-brute-force,2015-04-06
218.87.111.107,ssh-brute-force,2015-04-06
61.174.49.103,ssh-brute-force,2015-04-06
218.87.111.117,ssh-brute-force,2015-04-06
43.255.190.151,ssh-brute-force,2015-04-06
182.100.67.113,ssh-brute-force,2015-04-06
182.100.67.114,ssh-brute-force,2015-04-06
221.229.160.222,ssh-brute-force,2015-04-06
58.218.204.226,ssh-brute-force,2015-04-06
58.218.199.49,ssh-brute-force,2015-04-06
221.229.166.29,ssh-brute-force,2015-04-06
218.65.30.92,ssh-brute-force,2015-04-06
58.218.204.245,ssh-brute-force,2015-04-06
218.87.109.60,ssh-brute-force,2015-04-06
218.87.111.110,ssh-brute-force,2015-04-06
43.255.191.164,ssh-brute-force,2015-04-06
37.132.67.140,ssh-brute-force,2015-04-06
218.87.111.108,ssh-brute-force,2015-04-06
218.87.111.107,ssh-brute-force,2015-04-06
61.174.49.103,ssh-brute-force,2015-04-06
218.87.111.117,ssh-brute-force,2015-04-06
43.255.190.151,ssh-brute-force,2015-04-06
182.100.67.113,ssh-brute-force,2015-04-06
182.100.67.114,ssh-brute-force,2015-04-06
221.229.160.222,ssh-brute-force,2015-04-06
58.218.204.226,ssh-brute-force,2015-04-06
58.218.199.49,ssh-brute-force,2015-04-06
221.229.166.29,ssh-brute-force,2015-04-06
218.65.30.92,ssh-brute-force,2015-04-06
58.218.204.245,ssh-brute-force,2015-04-06
218.87.109.60,ssh-brute-force,2015-04-06
Colleges check for SQLi on your systems!
Honestly for the past few months we have seen nothing but a rash of colleges and universities getting smacked with SQLi exploits. Test your servers or I'm sure the hackers responsible for these attacks will test it for you.
We have at least 26 confirmed reports of breaches of which some have been reported and some have been brushed under the rug...
We have at least 26 confirmed reports of breaches of which some have been reported and some have been brushed under the rug...
BREACH: Linux Australia
Linux Australia, a consortium in charge of organizing Linux conferences Down Under, acknowledged over the weekend it was breached by attackers who were able to secure access to one of its servers, and with it, potential user information.
The Dyre Wolf - IBM Report on Payment System Breach
According to IBM’s Security Intelligence division, a new threat to payments security has been discovered. Called “The Dyre Wolf,” the malware attack has already been used to transfer $1 million into the pockets of cybercriminals.
More information available via mailing list.
More information available via mailing list.
Sunday, April 5, 2015
BREACH: Recovery Sports Grill
Media is reporting that credit card data has been stolen from Recover Sports Grill.
BREACH: Biggby Coffee Reports Breach
Biggby Coffee has been seen in media reports as having been breached with customer data theft.
Biggby Coffee announced that personal information from some customers and job applicants might have been accessed after a company database was hacked, according to the Associated Press.
The data might include names, addresses, phone numbers, email addresses and employment history information, the report said. Biggby said no credit card information, bank account numbers, Social Security numbers nor driver's license numbers were accessed, the report said.
Biggby Coffee announced that personal information from some customers and job applicants might have been accessed after a company database was hacked, according to the Associated Press.
The data might include names, addresses, phone numbers, email addresses and employment history information, the report said. Biggby said no credit card information, bank account numbers, Social Security numbers nor driver's license numbers were accessed, the report said.
Saturday, April 4, 2015
Field Report: CVS POS
We are getting reports of issues with CVS POS systems. According to the anonymous report they are having system wide issue.
Friday, April 3, 2015
Yesterday's Activity
We are testing out some new products. We thought we would share what we are seeing in our platforms.
MALWARE: Bank Credential Stealing via Malware (Subset of Report)
We have seen several reports today for this malware with subjects claiming to be from Equifax. Attachment Name: my_new_photo3482374823749823.zip MD5: 71c6bffc6a959355b5d1fe6ca75fdaf3 This file executed a process and injected code into it while unpacking The file installs itself as an autorun item at Windows Startup Generates some ICMP traffic
Wednesday, April 1, 2015
Targetted Phishing Emails aimed at JP Morgan Customers - Specific details on the mailing list serve
Earlier today we put out some information on some targeted phishing we have been seeing on our network sensors and some mail servers in which we have access to logs.
It seems this is an ongoing issue since at least the 18th of March.
Additional Information:
http://sanesecurity.blogspot.com/2015/03/jp-morgan-access-secure-message-Elwood-Ritter.html
It seems this is an ongoing issue since at least the 18th of March.
Additional Information:
http://sanesecurity.blogspot.com/2015/03/jp-morgan-access-secure-message-Elwood-Ritter.html
BREACH: FBI, IRS and Bradley University investigating data breach leaving thousands vulnerable
PEORIA, Ill. -- A cyber data breach at Bradley University means
thousands of people are vulnerable to identity theft. An investigation
by the FBI and IRS is on-going at Bradley University. The data of
thousands of employees and their families are at risk.
Bradley University officials say investigators found malware on two university computers. Those computers had access to personal information for about 4700 current and former employees and potentially their families.
Note: This is not surprising given the number of Universities that have been hacked over the last several months mostly with SQL injections from what has been reported on Twitter, reports and disclosures. We have been reporting on some of the ones that we detected as have some other sites.
Bradley University officials say investigators found malware on two university computers. Those computers had access to personal information for about 4700 current and former employees and potentially their families.
Note: This is not surprising given the number of Universities that have been hacked over the last several months mostly with SQL injections from what has been reported on Twitter, reports and disclosures. We have been reporting on some of the ones that we detected as have some other sites.