More Digital Ocean Issues Noted


We have been reporting issues with Digital Ocean use by threat actors over the last several weeks. This past week we noted several remote code execution attacks originating from Digital Ocean and our researchers have also noted that there has been some increases in traffic from Digital Ocean being seen at many of our monitored sites.

Previously we had put out some bulletins on malware being hosted on Digital Ocean but this is the first time we have observed a coordinated attack that originated from this provider that was widespread.

What attacks are occurring?

While researching this issue we noted several types of attacks that are occurring and that the threat actors are trying different things with different targets. Many of the attacks are aimed at infiltrating home routers using known vulnerabilities.

On 1-21-2019 Jigsaw Security began observing multiple remote code execution attempts from the IP address 157.230.148[.]231 in a coordinated manner over several industries. We highly suggest customer check their logs and firewalls to make sure this traffic is being dropped. The exploits were aimed at gaining access to data stores to include databases, distributed data stores, cloud infrastructure and similar systems that would hold sensitive data. Industries Attacked: Government, Industry, Aviation, Retail, Media, Manufacturing, Transportation

This information was observed on a distributed sensor platform and was observed at 480 different network address ranges (meaning there were 480 separate and distinct attacks detected).

The IP address belongs to Digital Ocean which has been increasingly seen allowing this type of activity. In addition, we have made previous request for Digital Ocean to remove offenders but they have failed to stop malicious activity from their address space.

Recent news and articles from security professionals indicates that there are at least 20 separate campaigns that are utilizing Digital Ocean to launch attacks with no response from Digital Ocean. Prior to this uptick in activity today, we had observed this IP attacking on 32 dates from 2015 through today. The activity today indicates that a new action is being carried out by customer assigned this IP address.

Malicious Host (All from the same Class C Network):

157.230.188.240

157.230.188.228

157.230.188.232

Related Information

Netcore/Netis Router Backdoor: This vulnerability allows a remote attacker to gain control of several Netis/Netcore routers and your Internet connection. The attacker can obtain full "read and write" permissions by remotely accessing a backdoor on UDP port 53413 which is permanently open on your router.

Unsecured Big Data MongoDB/Elasticsearch : We have been seeing improperly configured Elasticsearch and MongoDB systems being attacked from this IP space as well.

Additional Information:

https://www.elastic.co/blog/found-elasticsearch-security

https://www.hackread.com/hackers-left-ransom-note-after-wipingout-mongodb-in-13-seconds/

#NetworkAttacks

17 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.