Today's News
NETCORE and Remote Script Execution: We are seeing lots of NETCORE router scanning as well as remote command execution attempts. See the list of sources below.
Sources:
206.189.1[.]234
209.97.158[.]125
159.65.81[.]70
209.97.135[.]30
206.189.226[.]218
178.128.152[.]12
178.128.152[.]50
We have previously reported on this type of activity in other daily reports. We continue to see these attacks and understand that it is part of a larger campaign. In addition we are seeing RIG EK dropping miners and other cryptocurrency activity. As previously report, this campaign has moved from Ransomware to bitcoin and other mining activity.
Docusign Phishing Campaigns Continue: We have been getting reports of Office 365 and Docusign Phishing activity. These campaigns are very convincing and are ongoing. We have observed over 64000 individual attempts to phish users on our networks.
Other Activity: The campaigns we are seeing active at this time include BankBot, Hide N Seek, various cryptocurrency mining malware attacks, RIG EK, APT28 and daily scanning activity from various location to include Russia and Chinese host.
Today's Events
Router Exploit Activity Report: As reported above, see event 28891.
DBGer's Ransomware: See event 28892 for details on this activity.
ROKRAT Activity: We have updated event 28884 which is related to Lazarus Group.
Operation Red Gambler (Not Active): This activity was observed but none of the domains associated and known to Jigsaw Security are active at this time.
Android Malware Targeting Israeli Soldiers: A historical look and new indicators have been added to event 28886. None of the new indicators are known to our competitors and are being presented at TLP:RED levels to protect our sources.