IOC for "Strudel"IoT "SSH TCP Forward" attacks | https://unixfreaxjp.github.io/Strudels_Attack/
Repository data for MMD-0062-2017 - Credential harversting by SSH Direct TCP Forward hacking attack (aka Strudels Attack)
For the recent ACTIVE (on-going) attacker network please visit the this Github’s repo data. Explanation is in Threat report or read Q & A in Infosec Institute about Strudels attack.
UPDATE:
Last update: Wed Mar 22 08:43:34 JST 2017
We now only maintained the "Red, Hot & Chili Network" list due to lack of resource.
Newer attacker network in AS49453 | 91.195.103.0/24 | GLOBALLAYER | NL
Older attacker network is AS49981 | 194.88.104.0/22 | WORLDSTREAM | NL
We have received contacts from NCSC-NL (CERT NL) via CERT-BUND (CERT DE) to confirm that
the hoster entity 3NT.COM's Abuse Team has terminated the related customer account(s) of
Strudels attacker actor. We herewith report that 3NT.COM has been cleaned up, so
you can remove the block for the 3NT.COM addresses.
The list stays as per it is for the RECORD purpose, as evidence of cyber
crime for the law enforcement who is now investigating the case.
Law enforcement can contact directly to the related CERT or hosters for the
identification details used by the bad actors.
- Thank you -
You can search IP addresses you want to check in this repository, to seek in which category it is classified in MMD-0062-2017 (attackers or victims).
Cyber crime diagram to explain the mass credential stealing scheme: