Searching Iranian IP Addresses Released By FBI Alert (AA20-304A)

https://us-cert.cisa.gov/ncas/alerts/aa20-304a

https://www.ic3.gov/Media/News/2020/201030.pdf

Libraries

https://bcable.net/x/Rwhois

library(Rwhois)

Local Sourcing

https://bcable.net/x/Rproj/shared

source("shared/load_recurse.R")
source("shared/load_varlog.R")
source("shared/parse_rawsplit.R")

source("shared/cleanup_logs.R")

Parse Raw Logs

#!/bin/bash

DIR="appel.2020"
IPS="$(cat ips.txt | tr "\n" "|" | sed -r "s/.$//g")"

mkdir tmplogs
ls -1 "$DIR"/messages-* | while read line; do
    filename="$(basename "$line")"
    grep -E "$IPS" "$line" > tmplogs/"$filename"
done

# delete empty line files
wc -l tmplogs/* | \
    grep " 0 tmplogs/messages-" | sed -r "s/.* 0 tmplogs/tmplogs/g" | \
    xargs -I{} rm {}

Load Data

messages_records <- load_varlog("tmplogs", "messages")
messages_records <- raw_populate(messages_records)
messages_records <- cleanup_syslog(messages_records)

ipt_data <- cleanup_iptables(messages_records)
messages_records$Raw.Split <- NA
ipt_data$Raw.Split <- NA

whois_data <- Rwhois::whois_query(ipt_data$IP.Source)

ipt_data$Country.Code <- sapply(whois_data,
    function(x){ head(x[x$key == "country", "val"], n=1) }
)

Raw IPs/Dates

print_ipt <- ipt_data[,c(
    "Date", "IP.Source", "Protocol",
    "Source.Port", "Destination.Port",
    "Country.Code"
)]

names(print_ipt) <- c("Date", "IP.Source", "Proto", "SPT", "DPT", "Country")

print_ipt

##                   Date       IP.Source Proto   SPT   DPT Country
## 1  2019-11-18 08:47:11 185.191.207.149   TCP 46645  3392      IL
## 2  2019-11-18 08:47:44 185.191.207.149   TCP 46645  3393      IL
## 3  2019-11-18 08:48:26 185.191.207.149   TCP 46645  3396      IL
## 4  2019-11-18 08:48:55 185.191.207.149   TCP 46645  3383      IL
## 5  2019-11-18 08:49:18 185.191.207.149   TCP 46645  3385      IL
## 6  2019-11-18 08:49:19 185.191.207.149   TCP 46645  5000      IL
## 7  2019-11-18 08:49:32 185.191.207.149   TCP 46645  3380      IL
## 8  2019-11-18 08:49:33 185.191.207.149   TCP 46645  4000      IL
## 9  2019-11-18 08:49:41 185.191.207.149   TCP 46645  7770      IL
## 10 2019-11-18 08:50:06 185.191.207.149   TCP 46645  3300      IL
## 11 2019-11-18 08:50:08 185.191.207.149   TCP 46645  9999      IL
## 12 2019-11-18 08:50:10 185.191.207.149   TCP 46645  3386      IL
## 13 2019-11-18 08:50:18 185.191.207.149   TCP 46645  6000      IL
## 14 2019-11-18 08:50:23 185.191.207.149   TCP 46645  3388      IL
## 15 2019-11-18 08:50:43 185.191.207.149   TCP 46645  3395      IL
## 16 2019-11-18 08:50:49 185.191.207.149   TCP 46645 12345      IL
## 17 2019-11-18 08:50:51 185.191.207.149   TCP 46645  3400      IL
## 18 2019-11-18 08:51:07 185.191.207.149   TCP 46645  3391      IL
## 19 2019-11-18 08:51:11 185.191.207.149   TCP 46645  3382      IL
## 20 2019-11-18 08:51:12 185.191.207.149   TCP 46645  3389      IL
## 21 2019-11-18 08:51:19 185.191.207.149   TCP 46645 33908      IL
## 22 2019-11-18 08:51:33 185.191.207.149   TCP 46645 13597      IL
## 23 2019-11-18 08:51:39 185.191.207.149   TCP 46645  3397      IL
## 24 2019-11-18 08:51:45 185.191.207.149   TCP 46645  3398      IL
## 25 2019-11-18 08:52:03 185.191.207.149   TCP 46645  3390      IL
## 26 2019-11-18 08:52:23 185.191.207.149   TCP 46645  3381      IL
## 27 2019-11-18 08:53:37 185.191.207.149   TCP 46645 43389      IL
## 28 2019-11-18 08:54:17 185.191.207.149   TCP 46645  3387      IL
## 29 2019-11-18 08:54:25 185.191.207.149   TCP 46645  3384      IL
## 30 2019-11-18 08:54:43 185.191.207.149   TCP 46645  4001      IL
## 31 2019-11-18 08:54:49 185.191.207.149   TCP 46645  3394      IL
## 32 2019-11-18 08:54:55 185.191.207.149   TCP 46645  3355      IL
## 33 2019-11-18 08:55:07 185.191.207.149   TCP 46645  6666      IL
## 34 2020-04-10 10:10:48  103.205.140.80   TCP 62804  1433      IN
## 35 2020-05-02 07:57:05  103.205.140.70   TCP 64550  1433      IN
## 36 2020-05-09 06:52:42  103.205.140.77   TCP 64433  1433      IN
## 37 2020-05-09 06:52:45  103.205.140.77   TCP 64433  1433      IN
## 38 2020-05-20 18:15:07  103.205.140.70   TCP 55882  1433      IN
## 39 2020-06-15 06:09:19  103.205.140.72   TCP 62890   445      IN
## 40 2020-06-15 06:09:22  103.205.140.72   TCP 62890   445      IN
## 41 2020-08-17 03:25:50 185.191.207.189   UDP  5072  5060      IL
## 42 2020-10-03 16:58:00   92.223.89.167   TCP    80 41375      LU

Notes

Dates included are not entirely within the ranges given. The ranges given may have been the exact dates that the Iranians had control of those IP addresses within whatever rented datacenters they were using, or it could be static IP addresses leased to an organization over a long period of time. Even so, the dates given were very short most of the time, and could have been just when the logs they had of attacks were given rather than the known usage from the “other side”.

Quoting the PDF:

Please note many of these IP addresses likely correspond to Virtual Private Network (VPN) services which can be used by individuals all over the world. While this creates the potential for false positives, any activity on the below would likely warrant further investigation.

Which is in line with what I was saying, however also to note:

This group has been linked to efforts to disseminate a propaganda video concerning voter fraud and hacking of US voter information. The FBI advises this video is almost certainly intended to make US voter information and the voting process appear insecure and susceptible to fraud. The FBI advises that certain demonstrational activity in the video [e.g., a purported Structured Query Language (SQL) injection to obtain US voter information] may have been fabricated by the actors for psychological effect.

The video shows actors using the SQLmap tool. While the video alone does not necessarily validate whether the actors successfully conducted a SQL injection against US election infrastructure and/or obtained voter information, it should be assumed that this group is familiar with traditional TTPs such as SQL injection and other exploitation methods referenced in AA20-296B. While there is reason to doubt the veracity of the activity portrayed in the video, the FBI advises this group is likely capable of exploiting US Web sites with common vulnerabilities.

It's interesting to note some of this traffic is attacking MS-SQL ports (1433), and SQLmap would in fact attempt to attack those ports. This could mean that it was an actual attempt, or it could also just be them or someone else randomly scanning things. It could also be them scanning anything and everything, try to flag an FBI report, and then scare the crap out of sysadmins through a very advanced propaganda technique.

Regardless there is no SQL server on that host, so they aren't going to get into anything. I serve almost exclusively static content, and nothing special is on this server that isn't directly delivered to you by browsing these pages. This is by design.

I'm a bit confused by the consistent source port of 46645 from the Israeli IP. Clearly scanning for RDP vulnerabilities, so I'm not sure what that's about. Screams poorly written custom scanner or something.

Also, I quite like the attempt on port 12345. Classy.

Teh Edn

I C U BRUV