Threat Intel

There’s a lot of data in the world, and we typically never get to see every bit of it, so I thought I would share some different views from different people on this. Great work from Kevin as normal here:

https://doublepulsar.com/an-update-on-fortibleed-whats-happening-with-victim-orgs-c0671a50e7f4

also a cool blog from CloudSek:

https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind

and this one from Zenox:

https://zenox.ai/en/fortibleed-anatomy-of-the-fortibleed-campaign-based-on-the-server-that-the-attackers-themselves-left-exposed/

I’ve been publishing a few blogs as well to try and show some different perspectives, then we have:

https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised

https://www.hudsonrock.com/fortinet

The Fog of ‘Cyber War’

(ok it’s a bit cringe to call it cyber war but it’s early and what the hell)….

So we can see that ultimately there is not a single ‘known’ position and that the views we have change as more information becomes available.

A hybrid war

Now… one thing I will say:

We have views from:

  • TA Data/Infrastructure
  • Honeypots
  • Victim Logs (thanks Kev!)

What I believe is that the TA is using a range of methods:

  • Config Dumping from Fortinets (from TA data + Kev’s insights on the logs)
  • Brute Force/Dictionary Attacks (to be more exact) (shown from TA data + honeypot logs – thanks Defused)
  • Backdooring Firewalls with accounts, port forwards (Thanks Kev)
  • Dumping hashes via PCAP features on the firewalls (based on TA data)
  • Attacking AD (Based on TA data)
  • Attacking other services (based on the data from Greynoise)

(also big shout out to Hunt.io this has enabled a lot of the insights here from the TA data)

Some IOCs (IPs)

From Kevin’s blog on Double Pulsar
  • 193.8.186.7
  • 80.75.212.113
  • 213.21.239.65
  • 208.94.246.58
  • 69.195.129.144
  • 96.45.42.173

These IPs are reported as config dumping.

Just to note: in the data I have access to, I have no evidence of FortiOS salted-SHA256 or PBKDF2 hash cracking. (doesn’t mean they haven’t, just I don’t have that in the data) – update; the hash cracking config does support this, plus it’s seen by Zenox. I’m trying to work out what the flow is e.g. no device access to being able to download the config files…


The TA which we saw brute forcing came from: 85.11.187.8

The investigation continues! As you can probably see, this is not simple! Must be time for tea!

Related articles

Copyright (c) Xservus Limited