During a security assessment, the CloudLock CyberLab unearthed a significant threat that may impact your own organization. Suspicious IP addresses were found attempting to access the cloud platforms for multiple organizations performing login attempts across hundreds of user accounts. These activities are abnormal.
In the past few days 20 highly suspicious IP addresses were found across different geographies (UAE, Saudi Arabia, Bulgaria, Ukraine, etc.), affecting thousands of users. These numbers are growing by the hour.
What is the worry?
- The activity details show that these actors are hitting login challenges – a mechanism used by Google adding a second login step (security question / SMS). This indicates that the attackers have the right password for many of these users, as they are not simply failing to login.
- They are not attempting to pass the second (security question / captcha) level – rather stopping and discontinuing the effort. This is a strong indicator of a mass credentials verification effort. (e.g. to be released/sold)
- When crossing the list of affected users against known databases of breaches (haveibeenpwned.com) the suspicion above was confirmed with 90% match of the IPs.
The Bottom Line
We believe what we are observing is a mass credentials verification.The same attackers may strike anytime or resell the credentials to other cybercrime use.
Below is the list of IP addresses:
|IP Address||ISP Info||Country|
|18.104.22.168||Mobily Corp.||Saudi Arabia|
|22.214.171.124||Hetzner Online GmbH||Germany|
|126.96.36.199||Hetzner Online GmbH||Germany|
|188.8.131.52||Choopa, LLC||Los Angeles, CA|
|184.108.40.206||Totalplay Telecomunicaciones Sa De Cv||Mexico|
|2a01:7e0:0:405:0:0:0:10f3||First Colo GmbH||Germany|
|220.127.116.11||Privax Ltd.||Houston, TX|
|18.104.22.168||Hetzner Online GmbH||Germany|
|22.214.171.124||Maxnet Ltd., Kharkiv||Ukraine|
|126.96.36.199||Emirates Telecommunications Corporation||United Arab Emirates|
|188.8.131.52||Hetzner Online GmbH||Germany|
|184.108.40.206||Hetzner Online GmbH||Germany|
|220.127.116.11||Hetzner Online GmbH||Germany|
- Blacklist these IP addresses, create a policy to track activities from these IPs addresses to tie it back to all the relevant users.
- You can also run ad hoc searchers to see any past violations.
- Recycle passwords for affected users across both cloud and on-premise systems
- Review activity logs for these users across cloud and on-premise sources for possible evidence of breach or foul play.
- As a best practice, consider monitoring databases with breached account informations (such as haveibeenpwned.com) to make sure your users are protected. Hackers are definitely doing this all the time and creating their own library of verified user credentials.