Hackers Mission Uncovered During a security assessment, the CloudLock CyberLab unearthed a significant threat that may impact your own organization.  Suspicious IP addresses were found…

Hackers Mission Uncovered

CloudLock CyberLab

Founded by Israeli Elite Cybersecurity Military Intelligence experts, the CloudLock CyberLab is a global team of leading security
experts, analysts, penetration testers, incident responders, forensic investigators and security researchers focused on driving
unique insight into cybersecurity threats related to the cloud.

Share

During a security assessment, the CloudLock CyberLab unearthed a significant threat that may impact your own organization.  Suspicious IP addresses were found attempting to access the cloud platforms for multiple organizations performing login attempts across hundreds of user accounts. These activities are abnormal.

In the past few days 20 highly suspicious IP addresses were found across different geographies (UAE, Saudi Arabia, Bulgaria, Ukraine, etc.), affecting thousands of users. These numbers are growing by the hour.

What is the worry?

  • The activity details show that these actors are hitting login challenges – a mechanism used by Google adding a second login step (security question / SMS). This indicates that the attackers have the right password for many of these users, as they are not simply failing to login.
  • They are not attempting to pass the second (security question / captcha) level – rather stopping and discontinuing the effort. This is a strong indicator of a mass credentials verification effort. (e.g. to be released/sold)
  • When crossing the list of affected users against known databases of breaches (haveibeenpwned.com) the suspicion above was confirmed with 90% match of the IPs.

The Bottom Line

We believe what we are observing is a mass credentials verification.The same attackers may strike anytime or resell the credentials to other cybercrime use.

Below is the list of IP addresses:

IP Address ISP Info Country
82.102.14.143 iomart hosting UK
85.194.80.22 Mobily Corp. Saudi Arabia
198.50.214.14 OVH Hosting Canada
83.110.8.13 Emirates Telecommunications UAE
88.99.8.230 Hetzner Online GmbH Germany
110.164.252.2 3BB Broadband Thailand
176.9.1.85 Hetzner Online GmbH Germany
35.163.183.11 Amazon Boardman, OR
45.32.85.74 Choopa, LLC Los Angeles, CA
148.251.248.104 HETZNER Germany
187.188.219.23 Totalplay Telecomunicaciones Sa De Cv Mexico
78.128.92.54 Lir.bg EOOD Bulgaria
2a01:7e0:0:405:0:0:0:10f3 First Colo GmbH Germany
185.25.85.10 Privax Ltd. Houston, TX
178.63.135.171 Hetzner Online GmbH Germany
178.165.116.63 Maxnet Ltd., Kharkiv Ukraine
2.50.146.49 Emirates Telecommunications Corporation United Arab Emirates
88.99.109.174 Hetzner Online GmbH Germany
88.99.89.66 Hetzner Online GmbH Germany
5.9.34.77 Hetzner Online GmbH Germany

CyberLab Recommendations

  • Blacklist these IP addresses, create a policy to track activities from these IPs addresses to tie it back to all the relevant users.
  • You can also run ad hoc searchers to see any past violations.
  • Recycle passwords for affected users  across both cloud and on-premise systems
  • Review activity logs for these users across cloud and on-premise sources for possible evidence of breach or foul play.
  • As a best practice, consider monitoring databases with breached account informations (such as haveibeenpwned.com) to make sure your users are protected. Hackers are definitely doing this all the time and creating their own library of verified user credentials.

Share
Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser

Close