[nsp-sec] Botnet takedown - Chinese SSH Brute Force

Wed Apr 8 14:27:10 EDT 2015

Greetings.

It is nice to see a Tier 1 take some action to combat this blatant misuse of Internet communications.

BTW, some of the more notable devices that we have seen compromised by this activity included customers hosting Raspberry Pi's
with weak/default credentials.

GW

-----Original Message-----
From: nsp-security [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Wentworth, Brett
Sent: Wednesday, April 08, 2015 3:22 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Botnet takedown - Chinese SSH Brute Force

----------- nsp-security Confidential --------

Just a heads up that Level 3 conducted a botnet takedown yesterday.  Part of the activity of this botnet is extreme SSH brute force scanning. At one point throughout the previous 30 dates we saw this comprising over 30% of the total global SSH traffic, so they aren’t being subtle    The purpose of this notice is to hopefully persuade you all to take similar action at your border. Infected hosts we have seen communicating with the C2 will be forthcoming.

SSH Brute Force Scanning
43.255.190.0/23 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
43.255.190.0/24  (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)

C2:
103.240.140.152/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
103.240.141.54/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
103.240.141.50/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
104.143.5.25/32 (ASN 36114 Versaweb, 53340 Fiberhub, 2914 NTT)

Malware Hosting:
23.234.60.140/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
23.234.60.143/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
23.234.19.202/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)

Further details can be found in the attached report (some of the IPs have changed but the behavior is the same):
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html

Regards,

Level (3) Communications
Network Security Operations
Level3-SOC at level3.com<mailto:Level3-SOC at level3.com>
720.888.0012

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20150408/7d49a790/attachment.sig>