DarkMatters Threat Thursday: Activity From Chinese IPs Jumping Between Different IP Address

View Live Map
10/16/2014

Norse DarkWolf Labs noted the activity from IP address 218.77.79.43 that was discussed in previous blog postings had ceased, with similar activity (and we suspect related) starting on the same day from 218.77.79.58. The Norse DarkMatters threat intelligence platform recognized the activity changes and the potential threat; updating the risk levels appropriately for the activity and changes. The new IP was appearing in our list of top suspects of malicious activity. Assigned to CHINANET Hunan Province Network in the city of Changsha , China and routed on AS 4134, this IP has been seen targeting the same nine (9) TCP ports with the same patterns discussed in the previous blog postings after 23 September 2014. The IP 218.77.79.58 was active for ten days, where the suspect activity transferred back to the original IP of 218.77.79.43. The Norse DarkMatters threat intelligence platform recognized the activity changes and the potential threat; updating the risk levels appropriately for the activity and changes.

Analysis of our intelligence combined with open source information, DarkWolf Labs considers this IP to be highly suspect and recommends taking mitigation actions regarding any suspect activity from 218.77.79.43 and 218.77.79.58.

Activity from the 218.77.79.58 IP address started on September 23 and stopped on October 13, with over 192,000 events observed by the Norse DarkMatters threat intelligence platform. As with the activity noted with the original IP address of 218.77.79.43, the source port selection is in the 32000 to 62000 range for this activity; with the destination having a consistent pattern targeting nine distinct ports (21, 22, 23, 25, 53, 80, 443, 3389, and 8080). Figure one (1) shows the destination port timeline between September 22nd and October 13th, with the activity ending and restarting on 218.77.79.43 and 218.77.79.58 respectively.

Figure One (1): Source and Destination Port Timeline, 216.13.78.229 September 2014
Figure One (1): Source and Destination Port Timeline, 216.13.78.229 September 2014 - Click on image to open in a new tab

With the activity flipping between IP addresses, it was time to dig in and determine what sort of activity is ongoing. Pulling a sampling of PCAPs for the activity, we see that it is a SYN scan - the source IP sending a Transmission Control Protocol (TCP) SYN packet, awaiting a response. No further communications other than the next SYN were made. Figure Two (2) comprises three examples of sanitized screenshots from this activity, with the destination ports 80, 443, and 23 depicted in Wireshark.

Figure Two (2): Sanitized Wireshark screen captures of example PCAP, SYN Scan from 218.77.79.58
Figure Two (2): Sanitized Wireshark screen captures of example PCAP, SYN Scan from 218.77.79.58 - Click on image to open in a new tab

Mitigations

The evidence provides a scenario of an entity using a SYN scan tool for ongoing reconnaissance, with the IP address recently changing over a ten (10) day window. The address change could have been due to a DHCP lease release and renewal from an ADSL provider, intentional changed by those behind the activity, or the system being used for the activity could have changed. We can assume that the two IP addresses (218.77.79.43 and 218.77.79.58) are being leveraged by the same threat actors/organizations behind this activity. Collaborating with our friends in the region, and correlating with open source information, the QQ account 251831057----19891208yinli was found to be associated with this IP back in early 2008. Our friends also confirmed that 218.77.79.58 is reported being assigned to the Hengyang ADSL just as reported with 218.77.79.43; which is different than what APNIC is reporting. In addition, there was some unusual routing observed with the IP 218.77.79.58 late this summer.

This is not the first time we have found a system with no public facing resources or protocols scanning/attacking parts of the Internet in a systematic fashion - nor will this be the last. There are few barriers to prevent an individual or organization with an "understanding" hosting provider from setting up a system and using open source tool sets to systematically scan and attack the rest of the Internet. The first stage of the kill chain is reconnaissance. A TCP SYN scan is commonly used due to the information you can glean with low overhead, multiple advantages and few drawbacks. Common tools would be NMap and synscan. Most organizations have built defences to mitigate such activity and minimize operational impact. But there are organizations that are not as prepared, do not have the mitigations or compensating controls in place to quantify this sort of activity targeting them on an ongoing basis. These organizations have the consequences of the logs filling up, systems hanging older systems being delicate enough to fail from such activity, and even resources and supplies being wasted. With the RST during the handshake causing problems for some network stacks (in particular simple devices like printers), it is common to find a ream of paper in the output tray with ASCII characters seemingly printed at random.

The IP referenced in this article has a rating of EXTREME by Norse's threat intelligence platform, with an IPQ rating of 89 to 100. Users integrating Norse's dark threat intelligence into their firewall, intrusion detection/prevention systems (IDS/IPS), log management or SIEM can track high risk IPs such as this in order to monitor, block, or quarantine them according to your security policy and acceptable risk.

Norse will continue monitoring this activity to provide analysis and additional information to help our customers recognize and defend against this sort of suspect and/or malicious activity. For real time protections and insight, reach out to the Norse sales staff for further information and assistance via our contact page .

Suspect IP Details:

IP Address:

218.77.79.43 and 218.77.79.58

Hostname:

NXDOMAIN

ISP:

CHINANET HUNAN PROVINCE NETWORK

Organization:

CHINANET-HN Hengyang node network

AS Number:

4134  

AS Name:

CHINANET-BACKBONE No.31,Jin-rong Street,CN  

Country:

China  

Region:

Huan

City:

Changsha  

Risk Score:

Extreme

Norse Twitter
Norse LinkedIn
Norse Facebook
Norse YouTube Channel
Norse Blog
Norse Google+