Educause Security Discussion mailing list archives
Re: Unknown traffic to known bad actor
From: Alex Keller <axkeller () STANFORD EDU>
Date: Thu, 30 May 2019 18:21:09 +0000
Hi Chris, It looks like this is a known bad actor IP out of the Virgin Islands (AS 40034 - Confluence Networks Inc) that has been used in dozens of different malware campaigns over the last few years (hence the activity not looking OS specific). https://ransomwaretracker.abuse.ch/ip/204.11.56.48/ https://twitter.com/search?q=204.11.56.48 https://www.hybrid-analysis.com/sample/76faef3f3b16a6eab03dc6c71cd6bac1ea617d11100ed125d8ea1271f8bb84dd/5b10956f7ca3e161fd29bb28 Anecdotally AS 40034 (https://bgp.he.net/AS40034) looks like a pretty sketchy neighborhood. Best, Alex Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu<mailto:axkeller () stanford edu> (650)736-6421 From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Wilson Sent: Thursday, May 30, 2019 10:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Unknown traffic to known bad actor I'm reaching out to see if anyone else has seen activity from their network to the following IP address: 204.11.56.48 All interactions we've seen is the source traffic is not OS specific. We're wondering if it might be a malicious Chrome/Firefox extension? We've quarantined one of our internal workstations and are in the process of running scans on the unit to determine root-cause. ArcSight and Firepower is only seeing SSL (443) traffic. The IP in question has been blocked on our firewalls for some time due to it's reputation, therefore no connections have been established. Our issue is that we can't seem to determine the source of the activity on the endpoint, therefore we have no way to re mediate. Has anyone else seen, or experienced anything from this IP: [hxxps]://www.virustotal.com/gui/ip-address/204.11.56.48/relations<http://www.virustotal.com/gui/ip-address/204.11.56.48/relations> Any help would be appreciated. Thank you in advance, Chris Wilson Security Architect I.T. Services Department Mount Royal University 4825 Mount Royal Gate SW Calgary, AB 403-440-8682 clwilson () mtroyal ca<mailto:clwilson () mtroyal ca>
Current thread:
- Unknown traffic to known bad actor Chris Wilson (May 30)
- Re: Unknown traffic to known bad actor Alex Keller (May 30)