We have been reporting issues with Digital Ocean use by threat actors over the last several weeks. This past week we noted several remote code execution attacks originating from Digital Ocean and our researchers have also noted that there has been some increases in traffic from Digital Ocean being seen at many of our monitored sites.
Previously we had put out some bulletins on malware being hosted on Digital Ocean but this is the first time we have observed a coordinated attack that originated from this provider that was widespread.
What attacks are occurring?
While researching this issue we noted several types of attacks that are occurring and that the threat actors are trying different things with different targets. Many of the attacks are aimed at infiltrating home routers using known vulnerabilities.
On 1-21-2019 Jigsaw Security began observing multiple remote code execution attempts from the IP address 157.230.148[.]231 in a coordinated manner over several industries. We highly suggest customer check their logs and firewalls to make sure this traffic is being dropped. The exploits were aimed at gaining access to data stores to include databases, distributed data stores, cloud infrastructure and similar systems that would hold sensitive data. Industries Attacked: Government, Industry, Aviation, Retail, Media, Manufacturing, Transportation
This information was observed on a distributed sensor platform and was observed at 480 different network address ranges (meaning there were 480 separate and distinct attacks detected).
The IP address belongs to Digital Ocean which has been increasingly seen allowing this type of activity. In addition, we have made previous request for Digital Ocean to remove offenders but they have failed to stop malicious activity from their address space.
Recent news and articles from security professionals indicates that there are at least 20 separate campaigns that are utilizing Digital Ocean to launch attacks with no response from Digital Ocean. Prior to this uptick in activity today, we had observed this IP attacking on 32 dates from 2015 through today. The activity today indicates that a new action is being carried out by customer assigned this IP address.
Malicious Host (All from the same Class C Network):
Netcore/Netis Router Backdoor: This vulnerability allows a remote attacker to gain control of several Netis/Netcore routers and your Internet connection. The attacker can obtain full "read and write" permissions by remotely accessing a backdoor on UDP port 53413 which is permanently open on your router.
Unsecured Big Data MongoDB/Elasticsearch : We have been seeing improperly configured Elasticsearch and MongoDB systems being attacked from this IP space as well.