Thursday, July 23, 2015

Potentially Breached Entities (From Sensor Data) - 7-23-2015 6:44PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • doa.la.gov - Confirmed breached
  • bonescan.bidmc.harvard.edu - Confirmed breached

We have previously reported on Harvard and now they are serving up APT29 malware samples. I would seriously hope they start to contain their incidents or we will be forced to start blocking them via DNS at client sites. 


UPDATE:
It appears as though doa.la.gov has removed the infected file and bonescan.bidmc.harvard.edu has been removed from DNS records so it's not longer accessible. 

Tuesday, July 21, 2015

Potentially Breached Entities (From Sensor Data) - 7-21-2014 11:19PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • University of California - San Diego, CA (Multiple Systems Detected)
  • Deluth Holiday Inn Gwinneth (Still owned)

An interesting note is that there is a node with reverse dns of fbi-vps hosted in the data center of Data Shack in North Kansas City, MO. Was also seen by 3 other companies in the last 24 hours according to our stats. 

Wednesday, July 15, 2015

Potentially Breached Entities (From Sensor Data) - 7-15-2014 2:59 (M EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • Concord Consortium - Concord, MA
  • American Credit Card - Huntington, NY
  • Atlas Professional Services - Tampa, FL
  • Grand Plaza Owners LLC - Plano, TX
We have not notified the individual companies but we have archived the logs if needed. 

Tuesday, July 14, 2015

BREACHED: University of Maryland Serving up CVE-2015-5119??? I sure hope not! - UPDATED

An analyst reported to us today that University of Maryland is serving up exploits from CVE-2015-5119. That's not good but we alerted to University of Maryland issues in the past. Looks like somebody else has been inside for awhile now.

I haven't personally looked into this but I trust my source.

Update: After I found a few minutes to review this is in fact infected. Notifying University of Maryland to see if we can get a response.

UPDATE: It looks like they have removed the malicious SWF file from their servers as of 2:20PM EST.


Potentially Breached Entities (From Sensor Data) - 7-14-2014 1:32 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • American Industrial Partners - New York
  • Micro-Globe ITS - Raleigh 


Well that's all for today... Hope your all having a great work week!





Saturday, July 11, 2015

MISP Server Coming Online

With our ongoing integration of the "Jigsaw" IOC platform we wanted to let you know that we are in the process of standing up a production MISP instance. This will allow us the ability to share our threat intelligence directly with other Intelligence Providers (IP's) in the industry.

The decision to build a MISP server is a direct result of request from some clients that are already using the platform for generating their own custom threat intelligence. Below is a list of all of the methods for communicating with our Jigsaw platform.


  • CSV updates from our TIP server - Conventional Download
  • XML update from our TIP server - Conventional Download
  • Elasticsearch IOC Search Interface (Requires an API account)
  • MISP Instance (Coming online now)
  • JIGSAW-DC - A big data platform utilizing Hadoop and other BD technologies
In addition our IOC's are currently being provided by email to select customers from our Alertfeeds mailing list. For more information or a trial of any of our service please contact us. 

Tuesday, July 7, 2015

Note: Hackedteam MD5 Hashes

There are over 500+ MD5 hashes that have been determined so far in regard to the hacker team (a.k.a Hacked Team) disclosure. We have posted them in our client portal for review and have sent some of the most frequently used infection vectors to selected partners.

To obtain the full list please signup for our TIP at http://www.slcsecurity.com/ and click on free trial.

Monday, July 6, 2015

Caltech - What are you guys doing? - California State Polytechnic University - Pomona (CSPUP)

Looks like 134.71.81.34 is having some fun really trying to get into our shared resources without authorization. If you want an account do like everybody else and go to www.slcsecurity.com and signup. Thank you and hopefully you guys are not owned or maliciously trying to gain access to our network.


Potentially Breached Entities (From Sensor Data) - 7-6-2014 2:20 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • Kenrick-Glennon Seminary - Indications of Compromised Host - Multiple Sensors and Email Traffic

Sunday, July 5, 2015

Potentially Breached Entities (From Sensor Data) - 7-5-2014 3:11 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • Atlas Professional Services - Florida - Brute Force and Scanning Activity
  • American Credit Card - Comenity
  • Global A Products Incorporated

Plus the usual chatter from Amazon Hosting., Shodan, etc. We really wish these entities would start to remove malicious clients from their networks. 

Saturday, July 4, 2015

Potentially Breached Entities (From Sensor Data) - 7-4-2014 2:21 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • KM HOMES LLC - 74.11.11.66 - Seen attacking external networks
  • University of Michigan College of Engineering - 141.212.122.66 - Reported multiple times (No action taken)

Analyst Note: Please note that the Univ of Michigan has been reported at least 20 times and they have not stopped the activity. If they don't care about being on blacklist and about their end users not being able to access Internet resources then we don't care if they are breached. We have attempted to help them resolve their issues on numerous occasions however they continue to deny they have any issue. You can lead a cow to water but they don't drink milk! (makes about as much sense as the responses we have received).

UPDATE: Apparently the Univ of Michigan thinks it's OK to scan host. Some farther review of the IP in question shows that the IP is a research scanning system. So that being said they are not breached however they are definitely not good Netizens with the mass scanning. A review of logs indicates that the Univ of Michigan is scanning web servers for vulnerabilities and some other very nasty behavior.


SLC Security Services LLC operates honeypot and inline sensors located in 74 locations. Our OSINT-X platform collects data and is available in our paid feed products. For more information visit www.slcsecurity.com.


Wednesday, July 1, 2015

BREACH: Univ of Michigan 2nd Notification - UPDATED

Pay attention because we are seeing traffic from the Univ of Michigan as well as Horizon's Church in Michigan. They still appear to have issues. We previously posted that ISIS was cyber targetting Univ of Michigan and this host we are seeing has had activity for most of the month of June.

Host: 199.101.99.146

Analyst Notes: A quick review shows that this entity is on a number of blacklist. In addition SANS distributed sensors have seen 275 incidents of activity from this host. SLC Security has logged 1104 events in the last 7 days from this host. 

BREACH: Holiday Inn Express Malvern

This location is breached and has been for awhile... Again don't say we didn't tell ya! Our threat intelligence data shows that they have been attacking others for over a month now.

Harvard Breach - What did we see? - UPDATED

So it has been reported by news media this evening that Harvard has once again fallen to hackers. Security researcher and advocate databreaches.net contacted us to pass along the news article.

http://www.thecrimson.com/article/2015/7/2/harvard-it-security-breach/

So what did we know and when did we know it?

SLC Security Services LLC started seeing Dyre emails flowing through our sensor network on 21 June 2015. We posted a message about it on the Vulnerable Disclosures Blog on the 24th of June when we noticed the activity did not stop (which is staffed by our cybersecurity volunteers). Below is a screenshot of our original message:


Our sensors started seeing millions of email messages containing Dyre malware being sent out to many other systems.

This traffic started on the 21st of June late in the evening. On the 22nd we saw several dumps of Harvard email addresses on Pastebin and additional data on the 23rd and 24th. By the 25th the systems were scanning Internet host and attempting to hack into other systems (which we monitor and maintain).


Hopefully they can find a reputable security firm to secure their infrastructure. This has been at least 3 breaches since we really started paying attention to Harvard.

To be fair to all monitoring the situation Crowdstrike detected the activity on the 22nd of June as well and attributed the attack to Gothic Panda actors. Whether that is in fact the case remains to be seen.

Media Coverage:
https://threatpost.com/june-harvard-breach-hit-multiple-schools/113601

Upon researching it appears as though there may have been as many as 13 schools affected. In addition the personal login information from third party accounts may have also been compromised as we are seeing indications that some students personal email accounts have also been leaked in the same time frame. - Additional research performed on historical data on 3 July 2015.

Don't fall victim to breaches. Email our SOC soc(a-t)slcsecurity(dot)com and request a free 30 day trial of our threat intelligence platform today. We offer insights into breaches and in many cases we can tell entities are breached before they even notice it. SLC Security Services LLC operates a vast network of Intrusion Detection Sensors on the Internet, private networks and at select Internet Services Providers. For more information on our services visit www.slcsecurity.com today.