We have been reporting on NETCORE router attacks recently. Today we noted that these attacks are now coming from AWS. We believe that our publishing of the IP addresses for this campaign may have caused the threat actor to move to AWS away from the compromised systems that we were seeing being used in these attacks previously.
We have reported frequently on the vulnerable routers and you can view more information on these attacks in a previous blog post. There are similarities between VPNFilter and the NETCORE scripted attacks we are observing. Trend Micro is also reporting and protecting against some of this same activity.
IOCS:
54.238.249.78 - New Offender
206.189.171.38
193.238.130.169
206.189.1.234
209.97.158.125
159.65.81.70
209.97.135.30
206.189.226.218