Information Security News
Recently I ran across a tweet from Packet Watcher @jinq102030 (https://twitter.com/jinq102030/status/756476442590842880) to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR its a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.">
zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk $5 == 522">">1467159441.247406 220.127.116.11 18.104.22.168 - 522
1467160356.407366 22.214.171.124 126.96.36.199 - 522
1467161271.647320 188.8.131.52 184.108.40.206 - 522
1467163102.087490 220.127.116.11 18.104.22.168 - 522
1467164017.337316 22.214.171.124 126.96.36.199 - 522
1467164932.547084 188.8.131.52 184.108.40.206 - 522
1467182323.201685 220.127.116.11 18.104.22.168 - 522
1467183238.447046 22.214.171.124 126.96.36.199 - 522
1467184153.641505 188.8.131.52 184.108.40.206 - 522
1467185068.903194 220.127.116.11 18.104.22.168 - 522
There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.
When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot .
cat min ./sh.
This is certainly something we are going to keep looking at for finding more compromised system.
@twsecblog(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The leak over the weekend of advanced hacking tools contains digital signatures that are almost identical to those in software used by the state-sponsored Equation Group, according to a just-published report from security firm Kaspersky Lab.
"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers wrote in a blog post published Tuesday afternoon.
The finding is significant because it lends credibility to claims made by a mysterious group calling itself ShadowBrokers. When members of the previously unknown group claimed in a blog post that they hacked Equation Group and obtained never-before-seen exploits and implants it used, outsiders were understandably skeptical. The publication of state-sponsored hacking tools is an extremely rare if not unprecedented event that is sure to catch the attention of leaders all over the world.
Two former employees of the National Security Agency—including exiled whistleblower Edward Snowden—are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the US government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups.
Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. US intelligence officials have privately said they, too, have high confidence of Russian government involvement.
In the weeks following the reports, WikiLeaks and an unknown person using the moniker Guccifer 2.0 have published a steady stream of documents. One batch released just ahead of last month's Democratic National Convention contained embarrassing private conversations that led to the resignation of DNC Chair Debra Wasserman Schultz. A more recent installment included a spreadsheet detailing the cell phone numbers, e-mail addresses, and other personal information of every Democratic member of the House of Representatives. The Obama administration has signaled that it may impose new economic sanctions on Russia in response to what critics claim is Russian attempts to disrupt or influence the US presidential election.