Repository for MMD-0062-2017 - Credential harversting by "SSH TCP Forward" attack via IoT
Lua
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Abuse_SSH_login.md
Attacker_GeoIP_Checker.txt
Attacker_IP_List.md
Attacker_Red_Network.md
README.md
Red_Hot_Chili_Network.md
SSH_Forward_Attack_SMTP.lua
TargetedIP-Overall.lua
TargetedIP-has-HackingVerdict.lua
Wordpress-access.lua
strudels-recent-pattern.md

README.md

MMD-0062-2017

Repository data for MMD-0062-2017 - Credential harversting by SSH Direct TCP Forward hacking attack (aka Strudels Attack)

For the recent ACTIVE (on-going) attacker network please click here. Explanation is in Threat report or read Q & A in Infosec Institute about Strudels attack.

UPDATE:

Last update: Wed Mar 22 08:43:34 JST 2017

We now only maintained the "Red, Hot & Chili Network" list due to lack of resource.

Newer attacker network in AS49453 | 91.195.103.0/24 | GLOBALLAYER | NL
Older attacker network is AS49981 | 194.88.104.0/22 | WORLDSTREAM | NL 

We have received contacts from NCSC-NL (CERT NL) via CERT-BUND (CERT DE) to confirm that 
the hoster entity 3NT.COM's Abuse Team has terminated the related customer account(s) of 
Strudels attacker actor. We herewith report that 3NT.COM has been cleaned up, so 
you can remove the block for the 3NT.COM addresses. 

The list stays as per it is for the RECORD purpose, as evidence of cyber 
crime for the law enforcement who is now investigating the case.

Law enforcement can contact directly to the related CERT or hosters for the 
identification details used by the bad actors.

- Thank you - 

You can search IP addresses you want to check in this repository, to seek in which category it is classified in MMD-0062-2017 (attackers or victims).

Cyber crime diagram to explain the mass credential stealing scheme:

MalwareMustDie!