Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unknown traffic to known bad actor

From: Alex Keller <axkeller () STANFORD EDU>
Date: Thu, 30 May 2019 18:21:09 +0000
Hi Chris,

It looks like this is a known bad actor IP out of the Virgin Islands (AS 40034 - Confluence Networks Inc) that has been 
used in dozens of different malware campaigns over the last few years (hence the activity not looking OS specific).

https://ransomwaretracker.abuse.ch/ip/204.11.56.48/
https://twitter.com/search?q=204.11.56.48
https://www.hybrid-analysis.com/sample/76faef3f3b16a6eab03dc6c71cd6bac1ea617d11100ed125d8ea1271f8bb84dd/5b10956f7ca3e161fd29bb28

Anecdotally AS 40034 (https://bgp.he.net/AS40034) looks like a pretty sketchy neighborhood.

Best,
Alex

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu<mailto:axkeller () stanford edu>
(650)736-6421

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Wilson
Sent: Thursday, May 30, 2019 10:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Unknown traffic to known bad actor

I'm reaching out to see if anyone else has seen activity from their network to the following IP address: 204.11.56.48

All interactions we've seen is the source traffic is not OS specific.  We're wondering if it might be a malicious 
Chrome/Firefox extension?  We've quarantined one of our internal workstations and are in the process of running scans 
on the unit to determine root-cause.  ArcSight and Firepower is only seeing SSL (443) traffic. The IP in question has 
been blocked on our firewalls for some time due to it's reputation, therefore no connections have been established.

Our issue is that we can't seem to determine the source of the activity on the endpoint, therefore we have no way to re 
mediate.  Has anyone else seen, or experienced anything from this IP: 
[hxxps]://www.virustotal.com/gui/ip-address/204.11.56.48/relations<http://www.virustotal.com/gui/ip-address/204.11.56.48/relations>

Any help would be appreciated.
Thank you in advance,


Chris Wilson
Security Architect
I.T. Services Department
Mount Royal University
4825 Mount Royal Gate SW
Calgary, AB
403-440-8682
clwilson () mtroyal ca<mailto:clwilson () mtroyal ca>
Previous By Date Next
Previous By Thread Next

Current thread: