Hackin9

How to 'hacker-proof your employees
Computerworld Australia
If you're a CTO or a network admin, you've probably memorised some of the basics of network security. Have lots of well-configured firewalls and IDS/IPS devices. Use switches instead of hubs. Make sure everyone uses complex passwords and make sure ...

and more »
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This isn't something new, but I think it is often overlooked: "slow and low" password brute forcing.

One of the daily reports I like to look at is password brute force attempts. more or less "forever", A few networks stick out in these daily reports. The password brute force attempts are not particularly agressive, with usually less then 10 attempts per day from any particular IP address. The other odd thing is that the accounts being brute forced don't exist, which a heave focus on "@hotmail.com" accounts. 

By far the most agressive network is 193.201.224.0/22,"Besthosting" in the Ukraine, followed by an other Ukraining network, 91.207.7.0/24 (Steephost). 

The top brute forced domains:

    gmail.com
    outlook.com
    zfymail.com < - this domain is associated with many bots/spam messages.
    hotmail.com

end isn't perfectly clear as the accounts don't exist, and the attempts are not very aggressive (maybe to avoid getting locked out?). 

Anybody observing similar attacks and able to figure out what they are after?

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In late May, an international law enforcement effort disrupted the Gameover Zeus (GoZ) botnet, a network of compromised computers used for banking fraud.

The operation also hobbled a secondary, but equally important cyber-criminal operation: the Cryptolocker ransomware campaign, which used a program distributed by the GoZ botnet to encrypt victims' sensitive files, holding them hostage until the victim paid a fee, typically hundreds of dollars. The crackdown, and the subsequent discovery by security firms of the digital keys needed to decrypt affected data, effectively eliminated the threat from Cryptolocker.

Yet, ransomware is not dead, two recent analyses have found. Within a week of the takedown of Gameover Zeus and Cryptolocker, a surge of spam with links to a Cryptolocker copycat, known as Cryptowall, resulted in a jump in ransomware infections, states a report released last week by security-services firm Dell Secureworks. Cryptowall first appeared in November 2013, and spread slowly, but the group behind the program were ready to take advantage of the vacuum left by the downfall of its predecessor.

Read 10 remaining paragraphs | Comments

 

Ranum Q&A with Renee Guttmann: Thriving in the CISO role
TechTarget
Renee Guttmann: InfoSec issues, for most great companies, have risen to a level that deserve the board of directors' attention. It is an ever-changing landscape, including maliciously motivated groups ranging from organized crime, nation-states and ...

 
Internet Storm Center Infocon Status